Lucene search
Andrea Intilangelo1337DAY-ID-38587HistoryApr 13, 2023 - 12:00 a.m.
File Replication Pro 7.5.0 Insecure Permissions / Privilege Escalation Vulnerabilities
2023-04-1300:00:00
Andrea Intilangelo
0day.today
184
file replication pro
vulnerabilities
privilege escalation
incorrect access control
password disclosure
diasoft corporation
windows services
remote access
sha-1
base64
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.7%
File Replication Pro version 7.5.0 suffers from having insecure directory permissions that can allow a local attacker the ability to escalate privileges.
# Exploit Title: File Replication Pro 7.5.0 - Password disclosure/reset & PrivEsc due Incorrect Access Control
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com
# Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe
# Version: 7.5.0
# Tested on: Windows 10 Pro 22H2 x64
# CVE: CVE-2023-26918
Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation by
replacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application.
C:\Program Files>icacls "c:\Program Files\FileReplicationPro"
c:\Program Files\FileReplicationPro Everyone:(F)
Everyone:(OI)(CI)(IO)(F)
C:\Users\Administrator>sc qc frp
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: frp
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : FRPReplicationServer
DIPENDENZE : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
To exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runs
with LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" full
access permissions.
Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remote
access stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encrypting
a string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.
Related
packetstorm
packetstorm
File Replication Pro 7.5.0 Insecure Permissions / Privilege Escalation
2023-04-13 00:00:00
nvd
nvd
CVE-2023-26918
2023-04-14 00:15:06
prion
prion
Design/Logic Flaw
2023-04-14 00:15:00
cvelist
cvelist
CVE-2023-26918
2023-04-13 00:00:00
cve
cve
CVE-2023-26918
2023-04-14 00:15:06
exploitdb
exploitdb
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.7%
Related for 1337DAY-ID-38587