Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Realtek 11n Wireless LAN Utility Privilege Escalation

🗓️ 24 Feb 2015 00:00:00Reported by Humberto CabreraType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 55 Views

Realtek 11n Wireless LAN Utility Privilege Escalation. Unquoted search path allows local user to execute arbitrary code with elevated privilege

Code
<html><body><p>Realtek 11n Wireless LAN Utility Privilege Escalation


Vendor: Realtek Semiconductor Corp.
Product web page: http://www.realtek.com.tw
Affected version: 700.1631.106.2011

Summary: Realtek 11n Wireless LAN utility is deployed and used by realtek
alfa cards and more in order to help diagnose and view wireless card
properties.

Desc: The application suffers from an unquoted search path issue impacting
the Realtek Service 'Realtek11nSU' and 'Realtek11nCU' for Windows deployed
as part of 11n USB Wireless LAN Utility. This could potentially allow an
authorized but non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the local user
to be able to insert their code in the system root path undetected by the
OS or other security applications where it could potentially be executed
during application startup or reboot. If successful, the local user’s code
would execute with the elevated privileges of the application.

Tested on: Microsoft Windows 7


Vulnerability discovered by Humberto Cabrera
                            @dniz0r


Advisory ID: ZSL-2015-5228
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5228.php


12.02.2015

--


 
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: realtek11ncu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\REALTEK\11n USB Wireless LAN
Utility\RtlService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Realtek11nCU
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 
C:\Windows\system32&gt;sc qc realtek11nsu
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: realtek11nsu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\REALTEK\Wireless LAN
Utility\RtlService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Realtek11nSU
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Feb 2015 00:00Current
6.2Medium risk
Vulners AI Score6.2
realtek 11n wireless lanprivilege escalationunquoted search pathlocal userarbitrary codeelevated privilegesvulnerability discoveryzero science lab
55