(0Day) Advantech WebAccess Local Escalation Of Privilege Vulnerability

2016-02-05T00:00:00
ID ZDI-16-155
Type zdi
Reporter Fritz Sands - HPE Zero Day Initiative
Modified 2016-11-09T00:00:00

Description

This vulnerability allows local users to elevate to administrator status on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the configuration of directories created during installation of the product. The implementing code for many COM objects used by newly-created services, which run in an elevated privilege, is installed in a folder with weak security control.