AD20050720EN.txt

`PeanutHull Local Privilege Escalation Vulnerability  
  
by Sowhat  
  
EN: http://secway.org/advisory/AD20050720EN.txt  
CN: http://secway.org/advisory/AD20050720CN.txt  
  
Product Affected:  
  
PeanutHull <= 3.0 Beta 5   
  
  
Overview:  
  
Oray Inc. is the world's biggest DDNS (Dynamic Domain Name Service)  
Provider (According to their WEBSITE). PeanutHull is the DDNS client  
For more information ,see http://www.oray.net   
  
Details:  
  
The vulnerability is caused due to SYSTEM privileges are not   
dropped when accessing the PeanutHull from the System Tray icon.  
  
A local non-privileged user can access the application via the   
system tray and can execute commands with Local System privileges.  
  
Exploit:  
1. Double click on the PeanutHull icon in the Taskbar to open   
the PeanutHull window.  
2. Click Help, click BBS  
3. Type C:\ in the poped up IE Address BAR  
4. Navagate to %WINDIR%\System32\  
5. click CMD.exe   
6. A new command shell will open with SYSTEM privileges  
  
Exploitng this vulnerability allows local non-privileged user  
to obtain SYSTEM privilege.  
  
Vendor Response:  
  
2005.07.13 Vendor notified via email   
2005.07.14 Vendor responsed that this problem will be fixed   
in the 3.0 Final Version.  
2005.07.20 PeanutHull 3.0 Released  
2005.07.20 So I released this advisory  
  
Please update to PeanutHull 3.0  
http://www.oray.net  
`