lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Jun 2017 09:57:15 -0400
From: Richard Young <fragsh3ll@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] APC UPS Daemon <= 3.14.14 Local Privilege Escalation

[+] Credits: fragsh3ll aka Richard Young
[+] Contact: https://twitter.com/fragsh3ll


Vendor
==========
http://www.apcupsd.org


Product
===========
APC UPS Daemon <= 3.14.14


Vulnerability Type
=====================
Privilege Escalation


Vendor Description
=====================
Apcupsd can be used for power mangement and controlling most of APC’s UPS
models on Unix and Windows machines. Apcupsd works with most of APC’s
Smart-UPS models as well as most simple signalling models such a Back-UPS,
and BackUPS-Office. During a power failure, apcupsd will inform the users
about the power failure and that a shutdown may occur. If power is not
restored, a system shutdown will follow when the battery is exhausted, a
timeout (seconds) expires, or runtime expires based on internal APC
calculations determined by power consumption rates. Apcupsd is licensed
under the GPL version 2.


CVE Reference
===============
CVE-2017-7884


Vulnerability Details
========================
The default installation of APCUPSD allows a local unprivileged user to run
arbitrary code with elevated privileges by replacing the service executable
apcupsd.exe with a malicious executable, which will run with SYSTEM
privileges at startup.


C:\apcupsd\bin\apcupsd.exe
  RW BUILTIN\Administrators
  RW NT AUTHORITY\SYSTEM
  RW NT AUTHORITY\Authenticated Users



Exploit
==========
1) Install the application with default settings.

2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe
with an executable of your choice.

3) Restart the service or computer, the executable will run.



Disclosure Timeline:
=====================================
4/17/17 - Vendor notified
4/17/17 - Vendor acknowledged
5/6/17 - Vendor still working
6/5/17 - No response
6/14/17 - No response
6/15/17 - Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists