SUPREMO 4.1.3.2348 Privilege Escalation Vulnerability

Details
=======

Subject:  Local Privilege Escalation
Product: SUPREMO by Nanosystems S.r.l.
Vendor Homepage: https://www.supremocontrol.com/
Vendor Status: fixed version released
Vulnerable Version: 4.1.3.2348 (No other version was tested, but it is
believed for the older versions to be also vulnerable.)
Fixed Version: 4.2.0.2423
CVE Number: CVE-2020-25106
CVE URL:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25106
Authors:  Victor Gil (A2SECURE) Adan Alvarez (A2SECURE)

Vulnerability Description
=======

Allows attackers to obtain LocalSystem access because when running as a
service File Manager allows modifying files with system privileges. This
can be used by an adversary to, for example, rename Supremo.exe and then
upload a trojan horse with the Supremo.exe filename.

Proof of Concept
================

To exploit this vulnerability Supremo should be running as a service. Then
follow the following steps:

  - Connect to Supremo from a different machine.
  - Open File manager.
  - Go to the directory where the Supremo executable is located.
  - Modify the name of the executable.
  - Upload a malicious executable and rename it to Supremo.exe
  - Close supremo.

After these steps, as supremo is running as a service, the service
executes, as System, the executable allowing an attacker to elevate
privileges to System.

Fix
===

The vendor provides an updated version (4.2.0.2423)

 Timeline
========

2020-07-13 Disclosed to Vendor
2020-10-19 Vendor releases the final patch
2020-12-21 Advisory released