`itle: InstantHMI - EoP: User to ADMIN
CWE Class: CWE-276: Incorrect Default Permissions
Vendor: Software Horizons
Download link: http://www.instanthmi.com/ihmisoftware.htm
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: IHMI61-PCInstall-Unicode.exe
- 1. Introduction: -
During a standard installation (default option) the installer
automatically creates a folder named "IHMI-6" in the root drive.
No other location can be specified during standard installation.
As this folder receives default permissions AUTHENTICATED USERS
are given the WRITE permission.
Because of this they can replace binaries or plant malicious
DLLs to obtain elevated, administrative level, privileges.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt for the installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
D. Change the main executable: InstantHMI.exe with a malicious copy.
E. Once executed by an administrator our code will run
under administrator level privileges.
- 3. Mitigation: -
A. Install under "c:\program files" or "C:\Program Files (x86)"
B. set appropriate permissions on the application folder.
- 4. Author: -