Millewin 13.39.146.1 - Local Privilege Escalation

# Exploit Title: Millewin 13.39.146.1 - Local Privilege Escalation
# Date: 2021-02-07
# Author: Andrea Intilangelo
# Vendor Homepage: https://www.millewin.it
# Software Homepage: https://www.millewin.it/index.php/prodotti/millewin 
# Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe
# Version: 13.39.028 – 146.1.9
# Tested on: Microsoft Windows 10 Enterprise x64
# CVE: CVE-2021-3394

Millennium Millewin also known as "Cartella clinica"

Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.

Affected version: 13.39.028
                  13.39.28.3342
                  13.39.146.1
                  -

Summary (from online translator): 
Millewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management
of the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional
innovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial
station. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook.

Vuln desc: 
The application is prone to insecure permissions in its folders that allows unprivileged user complete control. An attacker can exploit the vulnerability by
arbitrarily replacing file(s) invoked by service(s)/startup regkey impacted. File(s) will be executed with SYSTEM privileges. 

The application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of
Millewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task. 
This allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take
advantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot. If successful, the malicious file(s)
would execute with the elevated privileges of the application.

The application also suffers from unquoted service path issues.


(1) Impacted executable on startup by regkey.
Any low privileged user can elevate their privileges abusing this scenario:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	MilleLiveUpdate
Value data:	"C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe"


(2) Impacted services.
Any low privileged user can elevate their privileges abusing any of these (also unquoted) services:

Millewin, operazioni pianificate    MillewinTaskService         C:\Program Files (x86)\Millewin\GestioneTaskService.exe     Auto
PDS Server                          PDS Server                  C:\Program Files (x86)\Millewin\WatchDogService.exe         Auto

	Details:
	
NOME_SERVIZIO: Millewintaskservice
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\Millewin\GestioneTaskService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : Millewin, operazioni pianificate
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

NOME_SERVIZIO: PDSserver
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\Millewin\WatchDogService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : PDS Server
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem


(3) Folder permissions.
Insecure folders permissions issue:

C:\Program Files (x86)\Millewin 
                                BUILTIN\Users:(OI)(CI)(F)
                                Everyone:(OI)(CI)(F)
                                NT SERVICE\TrustedInstaller:(I)(F)
                                NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                NT AUTHORITY\SYSTEM:(I)(F)
                                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                BUILTIN\Administrators:(I)(F)
                                BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                BUILTIN\Users:(I)(RX)
								BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
                                                              GENERIC_READ
                                                              GENERIC_EXECUTE
                                ...[SNIP]...

C:\Program Files (x86)\Millewin\MilleUpdater 
                                             BUILTIN\Users:(OI)(CI)(ID)F
											 Everyone:(OI)(CI)(ID)F
                                             NT SERVICE\TrustedInstaller:(ID)F
                                             NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                             NT AUTHORITY\SYSTEM:(ID)F
                                             NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                             BUILTIN\Administrators:(ID)F
                                             BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                             BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
                                                                           GENERIC_READ
                                                                           GENERIC_EXECUTE
                                ...[SNIP]...