lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Feb 2018 10:24:52 +0100
From: Florian Bogner <florian@...ner.sh>
To: fulldisclosure@...lists.org
Subject: [FD] Local Privilege Escalation in CrashPlan’s Windows Client Version 4

Local Privilege Escalation in CrashPlan’s Windows Client Version 4

Metadata
===================================================
Release Date: 15-Feb-2018
Author: Florian Bogner // https://bogner.sh
Affected product: CrashPlan's 4-series and earlier Windows client
Fixed in: CrashPlan's version 4.8.3 Windows client; version 5 was never affected by this issue
Tested on: Windows 7
CVE:  Not requested
URL: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/
Vulnerability Status: Fixed with new release (13.6.2017)

Product Description
===================================================
CrashPlan offers the most comprehensive online backup solution to hundreds of thousands of consumers and tens of thousands of businesses around the world. Our highly secure, automatic and continuous service provides our customers the peace of mind that their digital life is protected and easily accessible. [citing https://www.crashplan.com/en-us/]

Vulnerability Description
===================================================
This advisory is about a local privilege escalation vulnerability affecting CrashPlan’s Windows application. It can be abused by any local user to gain full control over the system.

The underlying issue is that the Windows Service "CrashPlan Backup Service" loads and executes files from the insecure filesystem location C:\ProgramData\CrashPlan. Any local authenticated user can abuses this behaviour by dropping a malicious Java CLASS file there. After the system is rebooted this Java class is loaded and the code is executed as SYSTEM. This causes a local privilege escalation from authenticated user to SYSTEM.

Suggested Solution
===================================================
End-users should update to the latest available version.

Disclosure Timeline
===================================================
18.5.2017: The issues has been identified
22.5.2017: The issues has been documented and reported to the vendor
25.5.2017: Vendor confirmed vulnerability and is working on a fix
13.6.2017: New version containing a fix has been released. The release notes have been published here: https://support.crashplan.com/Release_Notes/4.8 <https://support.crashplan.com/Release_Notes/4.8>
15.2.2018: Public disclosure

PoC
===================================================
A working PoC is available here: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/

Florian Bogner

eMail: florian@...ner.sh <mailto:florian@...ner.sh>
Web: http://www.bogner.sh <http://www.bogner.sh/>
LinkedIn: https://www.linkedin.com/profile/view?id=368904276 <https://www.linkedin.com/profile/view?id=368904276>
Xing: https://www.xing.com/profile/Florian_Bogner9 <https://www.xing.com/profile/Florian_Bogner9>

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists