Realtek 11n Wireless LAN utility privilege escalation.
Vulnerability Discovered by Humberto Cabrera @dniz0r
http://zeroscience.mk @zeroscience
Summary:
⁃ Realtek 11n Wireless LAN utility is deployed and used by realtek
alfa cards and more in order to help diagnose and view wireless card
properties.
Description:
- Unquoted Privilege escalation that allows a user to gain SYSTEM
privileges.
Date - 12 Feb 2015
Version: 700.1631.106.2011
Vendor: www.realtek.com.tw
Advisory URL:
https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/
Tested on: Win7
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: realtek11ncu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\REALTEK\11n USB Wireless LAN
Utility\RtlService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Realtek11nCU
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Windows\system32>sc qc realtek11nsu
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: realtek11nsu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\REALTEK\Wireless LAN
Utility\RtlService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Realtek11nSU
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
