lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Jun 2017 09:57:15 -0400
From: Richard Young <>
Subject: [FD] APC UPS Daemon <= 3.14.14 Local Privilege Escalation

[+] Credits: fragsh3ll aka Richard Young
[+] Contact:


APC UPS Daemon <= 3.14.14

Vulnerability Type
Privilege Escalation

Vendor Description
Apcupsd can be used for power mangement and controlling most of APC’s UPS
models on Unix and Windows machines. Apcupsd works with most of APC’s
Smart-UPS models as well as most simple signalling models such a Back-UPS,
and BackUPS-Office. During a power failure, apcupsd will inform the users
about the power failure and that a shutdown may occur. If power is not
restored, a system shutdown will follow when the battery is exhausted, a
timeout (seconds) expires, or runtime expires based on internal APC
calculations determined by power consumption rates. Apcupsd is licensed
under the GPL version 2.

CVE Reference

Vulnerability Details
The default installation of APCUPSD allows a local unprivileged user to run
arbitrary code with elevated privileges by replacing the service executable
apcupsd.exe with a malicious executable, which will run with SYSTEM
privileges at startup.

  RW BUILTIN\Administrators
  RW NT AUTHORITY\Authenticated Users

1) Install the application with default settings.

2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe
with an executable of your choice.

3) Restart the service or computer, the executable will run.

Disclosure Timeline:
4/17/17 - Vendor notified
4/17/17 - Vendor acknowledged
5/6/17 - Vendor still working
6/5/17 - No response
6/14/17 - No response
6/15/17 - Public disclosure

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists