F-Secure BlackLight 2.2.1092 Local Privilege Escalation Vulnerability
Vendor: F-Secure Corporation
Product web page: http://www.f-secure.com
http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/blacklight/
Affected version: 2.2.1092
Summary: F-Secure BlackLight is a tool that detects files, folders and
processes hidden from the user and other programs. BlackLight is also
able to remove hidden malware by renaming them.
Desc: The rootkit eliminator is vulnerable to an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable file with a binary of choice. The vulnerability exist due to
the improper permissions, with the 'C' flag (change/write) for the 'Everyone'
group, for the 'fsbl.exe' binary file.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2011-5038
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php
10.08.2011
--
C:\>cacls fsbl.exe
C:\fsbl.exe BUILTIN\Administrators:F
Everyone:C
LABPC\User4:F
NT AUTHORITY\SYSTEM:F
C:\>
