APC UPS Daemon 3.14.14 Privilege Escalation

`[+] Credits: fragsh3ll aka Richard Young  
[+] Contact: https://twitter.com/fragsh3ll  
  
  
Vendor  
==========  
http://www.apcupsd.org  
  
  
Product  
===========  
APC UPS Daemon <= 3.14.14  
  
  
Vulnerability Type  
=====================  
Privilege Escalation  
  
  
Vendor Description  
=====================  
Apcupsd can be used for power mangement and controlling most of APCas UPS  
models on Unix and Windows machines. Apcupsd works with most of APCas  
Smart-UPS models as well as most simple signalling models such a Back-UPS,  
and BackUPS-Office. During a power failure, apcupsd will inform the users  
about the power failure and that a shutdown may occur. If power is not  
restored, a system shutdown will follow when the battery is exhausted, a  
timeout (seconds) expires, or runtime expires based on internal APC  
calculations determined by power consumption rates. Apcupsd is licensed  
under the GPL version 2.  
  
  
CVE Reference  
===============  
CVE-2017-7884  
  
  
Vulnerability Details  
========================  
The default installation of APCUPSD allows a local unprivileged user to run  
arbitrary code with elevated privileges by replacing the service executable  
apcupsd.exe with a malicious executable, which will run with SYSTEM  
privileges at startup.  
  
  
C:\apcupsd\bin\apcupsd.exe  
RW BUILTIN\Administrators  
RW NT AUTHORITY\SYSTEM  
RW NT AUTHORITY\Authenticated Users  
  
  
  
Exploit  
==========  
1) Install the application with default settings.  
  
2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe  
with an executable of your choice.  
  
3) Restart the service or computer, the executable will run.  
  
  
  
Disclosure Timeline:  
=====================================  
4/17/17 - Vendor notified  
4/17/17 - Vendor acknowledged  
5/6/17 - Vendor still working  
6/5/17 - No response  
6/14/17 - No response  
6/15/17 - Public disclosure  
  
  
`