HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation



EKU-ID: 4442 CVE: OSVDB-ID:
Author: s-dz Published: 2014-12-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: HTCSyncManager 3.1.33.0  (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
# Date: 12/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
#Affected version: 3.1.33.0
#Tested on:  Windows 7  (FR)
  
      
 HTC Synchronisation manager for devices HTC
  
Vulnerability Details
There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change 
the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.
  
  
C:\Users\samir>sc qc HTCMonitorService
[SC] QueryServiceConfig réussite(s)
  
SERVICE_NAME: HTCMonitorService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HTCMonitorService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
  
  
  
C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
                                                                    BUILTIN\Administrateurs:(I)(F)
                                                                    BUILTIN\Utilisateurs:(I)(RX)
  
1 fichiers correctement traités ; échec du traitement de 0 fichiers