| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200907200913.n6K9DN8R019019@www3.securityfocus.com>
Date: Mon, 20 Jul 2009 03:13:23 -0600
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: Adobe related service (getPlus_HelperSvc.exe) local elevation of
privileges
Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
by Nine:Situations:Group
description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x
vendor: Nos Microsystems
poc:
C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: getPlus(R) Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : getPlus(R) Helper
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
NT AUTHORITY\SYSTEM:F
The executable files is installed with improper permissions, with "full
control" for Builtin Users; a simple user can replace it with a binary of
choice.
At the next reboot it will run with SYSTEM privileges.
original url: http://retrogod.altervista.org/9sg_adobe_local.html
Powered by blists - more mailing lists