Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Samsung SW Update 2.2.7.22 Insecure ACLs

🗓️ 13 Jun 2016 00:00:00Reported by Benjamin GnahmType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 129 Views

Samsung SW Update 2.2.7.22 Insecure ACLs allows user privilege escalation to SYSTEM through crafted DLL file placed in service directory

Code
`Blue Frost Security GmbH  
https://www.bluefrostsecurity.de/   
research(at)bluefrostsecurity.de  
BFS-SA-2016-002  
25-April-2016  
________________________________________________________________________________  
  
Vendor: Samsung, www.samsung.com  
Affected Products: SW Update  
Affected Version: <= 2.2.7.22  
Vulnerability: Insecure ACLs on SW Update Service Directory  
CVE ID: n/a  
OVE ID: OVE-20160530-0004  
Vendor ID: SI-6041  
________________________________________________________________________________  
  
I. Impact  
  
If the SW Update software is installed on a Windows system, any  
authenticated  
user can escalate privileges to become the SYSTEM user by placing a crafted  
DLL file in the SW Update Service directory and triggering or waiting  
for the  
next system reboot.  
________________________________________________________________________________  
  
II. Vulnerability Details  
  
Samsung consumer computers come with a preinstalled software called SW  
Update.  
This software is used to install and update all the necessary drivers and  
software.  
  
The SW Update software installs a Windows service called SWUpdateService  
which  
is running as SYSTEM. The service binary SWMAgent.exe is located in the  
directory "C:\ProgramData\Samsung\SW Update Service\".  
  
The ACLs set on this directory allow any authenticated user to create  
new files  
as can be seen by the FILE_WRITE_DATA access right below:  
  
C:\>cacls "c:\Programdata\Samsung\SW Update Service"  
c:\Programdata\Samsung\SW Update Service NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F  
  
BUILTIN\Administrators:(OI)(CI)(ID)F  
CREATOR OWNER:(OI)(CI)(IO)(ID)F  
BUILTIN\Users:(OI)(CI)(ID)R  
BUILTIN\Users:(CI)(ID)(special  
access:)  
FILE_WRITE_DATA  
FILE_APPEND_DATA  
FILE_WRITE_EA  
FILE_WRITE_ATTRIBUTES  
  
When the service is started it tries to load several non-existing DLL files  
from the service directory such as MSIMG32.dll, UxTheme.dll or USERENV.dll.  
  
A user can place a malicious DLL file with one of the expected names into  
that directory and wait until the service is restarted. The service can not  
be restarted by normal users but an attacker could just reboot the system or  
wait for the next reboot to happen.  
  
Afterwards his malicious DLL file would be loaded by the service which is  
running with SYSTEM privileges which would give the attacker full control  
over the machine.  
________________________________________________________________________________  
  
III. Mitigation  
  
To mitigate the issue the ACL on the service directory should be adjusted to  
prevent normal users from writing to this directory or install the official  
update to version 2.2.7.24.  
________________________________________________________________________________  
  
IV. Disclosure Timeline  
  
- 2016-04-25 contacted [email protected] and requested a security  
contact for consumer desktop / notebook software  
- 2016-04-29 Samsung confirmed that the advisory was received and that  
it will  
be analyzed  
- 2016-05-27 Requested status update  
- 2016-05-30 Samsung confirmed that issue "SI-6041" has been fixed starting  
with version 2.2.7.24  
- 2016-05-30 Requested OVE ID: OVE-20160530-0004 was assigned  
________________________________________________________________________________  
  
Credit:  
Bug found by Benjamin Gnahm (@mitp0sh) of Blue Frost Security GmbH.  
________________________________________________________________________________  
  
Unaltered electronic reproduction of this advisory is permitted. For all  
other  
reproduction or publication, in printing or otherwise, contact  
research(at)bluefrostsecurity de for permission. Use of the advisory  
constitutes  
acceptance for use in an "as is" condition. All warranties are excluded.  
In no  
event shall Blue Frost Security be liable for any damages whatsoever  
including  
direct, indirect, incidental, consequential, loss of business profits or  
special damages, even if Blue Frost Security has been advised of the  
possibility of such damages.  
  
Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of  
use apply.  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
samsung sw updateinsecure aclsuser privilege escalationsystem usercrafted dllservice directoryaclsvulnerabilitywindows systemswupdateserviceswmagent.exesecurity update
129