(0Day) Advantech WebAccess Local Escalation Of Privilege Vulnerability

ID ZDI-16-155
Type zdi
Reporter Fritz Sands - HPE Zero Day Initiative
Modified 2016-11-09T00:00:00


This vulnerability allows local users to elevate to administrator status on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the configuration of directories created during installation of the product. The implementing code for many COM objects used by newly-created services, which run in an elevated privilege, is installed in a folder with weak security control.