MailEnable Multiple Local Privilege Escalations Vulnerability

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAILENABLE-MULTIPLE-PRIVILEGE-ESCALATIONS.txt
[+] ISR: ApparitionSec

Vendor:
===================
www.mailenable.com

Products:
============
MailEnable


MailEnable provides Windows Mail Server software with features comparable to Microsoft Exchange. It provides powerful messaging services
like Exchange ActiveSync, IMAP, SMTP, POP3 and collaboration tools such as calendaring (CalDAV), contacts (CardDAV), tasks and notes.



Vulnerability Type:
===================
Local Privilege Escalation (Unquoted Service Path)



CVE Reference:
==============
N/A



Security Issue:
==================

The following MailEnable product services contain multiple local privilege escalation vectors, potentially allowing unprivileged user to
gain code execution as SYSTEM via unquoted service paths.

Reference:
https://www.mailenable.com/Standard-ReleaseNotes.txt


c:\>sc qc MELCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MELCS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MELSC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable List Connector
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



c:\>sc qc MEMTAS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEMTAS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEMTA.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable Mail Transfer Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



c:\>sc qc MEPOPS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEPOPS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEPOPS.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable POP Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


c:\>sc qc MEPOCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEPOCS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEPOC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable Postoffice Connector
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



c:\>sc qc MESMTPCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MESMTPCS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MESMTPC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable SMTP Connector
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem






Disclosure Timeline:
=====================================
Vendor Notification: January 5, 2017
Vendor Acknowledgement: January 5, 2017
Vendor Fix: January 5, 2017
February 12, 2017 : Public Disclosure



Exploit/POC:
============

1) Create EXE named 'Program.exe'


2) Inject 'Program.exe' into the path of the service. After service restart or system reboot, authorized local user can
then execute arbitrary code with elevated privileges as SYSTEM.

#  0day.today [2018-01-03]  #