lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 28 Nov 2016 23:42:19 +0100
From: Rio Sherri <rio.sherri@...nstudent.info>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Eagle Speed USB MODEM SOFTWARE Privilege Escalation

# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is
installed.
# The service itself has the right permissions which do not allow to
reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
#        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
#        START_TYPE         : 2   AUTO_START
#        ERROR_CONTROL      : 1   NORMAL
#        BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
#        LOAD_ORDER_GROUP   :
#        TAG                : 0
#        DISPLAY_NAME       : ZDServ
#        DEPENDENCIES       :
#        SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <-----------
Everyone has full permissions.
#                                           NT AUTHORITY\SYSTEM:(I)(F)
#                                           BUILTIN\Administrators:(I)(F)
#                                          Victim-PC\lowpriv:(I)(F)
#                                           BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the
ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#
Exploit is attached.

View attachment "exploit.py" of type "text/x-python" (3109 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists