WinGate 9.4.1.5998 Insecure Permissions / Privilege Escalation Vulnerability

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec     


[Vendor]
wingate.com


[Product]
WinGate v9.4.1.5998

WinGate is a sophisticated integrated Internet gateway and communications server designed to meet the control,
security and email needs of today's Internet-connected businesses.


[Vulnerability Type]
Insecure Permissions EoP


[CVE Reference]
CVE-2020-13866


[Security Issue]
WinGate has insecure permissions for the installation directory, which allows local
users ability to gain privileges by replacing an executable file with a Trojan horse.
The WinGate directory hands (F) full control to authenticated users, who can then run
arbitrary code as SYSTEM after a WinGate restart or system reboot.


C:\Program Files\WinGate>cacls WinGate.exe
C:\Program Files\WinGate\WinGate.exe NT AUTHORITY\Authenticated Users:(ID)F
                                     NT AUTHORITY\SYSTEM:(ID)F
                                     BUILTIN\Administrators:(ID)F
                                     BUILTIN\Users:(ID)R
                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R


[Affected Component]
WinGate Installation Directory

[Impact Code execution]
true

[Impact Denial of Service]
true

[Impact Escalation of Privileges]
true

[Impact Information Disclosure]
true


[Exploit/POC]
Logon as standard user replace WinGate.exe with a trojan executable, wait for restart or reboot the system, your code runs as SYSTEM.