header-logo
Suggest Exploit
vendor:
getPlus(R) Helper
by:
Nine:Situations:Group
7,2
CVSS
HIGH
Local Elevation of Privileges
264
CWE
Product Name: getPlus(R) Helper
Affected Version From: Acrobat Reader 9.x
Affected Version To: Acrobat Reader 9.x
Patch Exists: NO
Related CWE: N/A
CPE: a:nos_microsystems:getplus_helper
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges

Adobe downloader used to download updates for Adobe applications. Shipped with Acrobat Reader 9.x. The executable file is installed with improper permissions, with 'full control' for Builtin Users; a simple user can replace it with a binary of choice. At the next reboot it will run with SYSTEM privileges.

Mitigation:

Ensure that the permissions of the getPlus_HelperSvc.exe file are properly configured and that only authorized users have access to it.
Source

Exploit-DB raw data:

Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
by Nine:Situations:Group
site: http://retrogod.altervista.org/

description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x

vendor: Nos Microsystems

poc:

C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: getPlus(R) Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : getPlus(R) Helper
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
                                           NT AUTHORITY\SYSTEM:F

The executable file is installed with improper permissions, with "full
control" for Builtin Users; a simple user can replace it with a binary of
choice.
At the next reboot it will run with SYSTEM privileges.

# milw0rm.com [2009-07-20]

Navigation

Suggest Exploit

Services By CQR