Realtek 11n Wireless LAN Utility Privilege Escalation

2015-02-13T00:00:00
ID PACKETSTORM:130515
Type packetstorm
Reporter Humberto Cabrera
Modified 2015-02-13T00:00:00

Description

                                        
                                            `Realtek 11n Wireless LAN utility privilege escalation.  
  
Vulnerability Discovered by Humberto Cabrera @dniz0r  
http://zeroscience.mk @zeroscience  
  
Summary:  
⁃ Realtek 11n Wireless LAN utility is deployed and used by realtek  
alfa cards and more in order to help diagnose and view wireless card  
properties.  
  
Description:  
- Unquoted Privilege escalation that allows a user to gain SYSTEM  
privileges.  
  
Date - 12 Feb 2015  
Version: 700.1631.106.2011  
Vendor: www.realtek.com.tw  
Advisory URL:  
https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/  
Tested on: Win7  
  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: realtek11ncu  
TYPE : 110 WIN32_OWN_PROCESS (interactive)  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files\REALTEK\11n USB Wireless LAN  
Utility\RtlService.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Realtek11nCU  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
C:\Windows\system32>sc qc realtek11nsu  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: realtek11nsu  
TYPE : 110 WIN32_OWN_PROCESS (interactive)  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files\REALTEK\Wireless LAN  
Utility\RtlService.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Realtek11nSU  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
  
`