PeanutHull Local Privilege Escalation Vulnerability
EN: http://secway.org/advisory/AD20050720EN.txt CN: http://secway.org/advisory/AD20050720CN.txt
PeanutHull <= 3.0 Beta 5
Oray Inc. is the world's biggest DDNS (Dynamic Domain Name Service) Provider (According to their WEBSITE). PeanutHull is the DDNS client For more information ,see http://www.oray.net
The vulnerability is caused due to SYSTEM privileges are not dropped when accessing the PeanutHull from the System Tray icon.
A local non-privileged user can access the application via the system tray and can execute commands with Local System privileges.
Exploit: 1. Double click on the PeanutHull icon in the Taskbar to open the PeanutHull window. 2. Click Help, click BBS 3. Type C:\ in the poped up IE Address BAR 4. Navagate to %WINDIR%\System32\ 5. click CMD.exe 6. A new command shell will open with SYSTEM privileges
Exploitng this vulnerability allows local non-privileged user to obtain SYSTEM privilege.
2005.07.13 Vendor notified via email 2005.07.14 Vendor responsed that this problem will be fixed in the 3.0 Final Version. 2005.07.20 PeanutHull 3.0 Released 2005.07.20 So I released this advisory
Please update to PeanutHull 3.0 http://www.oray.net
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/