Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability

vendor:

Service Center

by:

Gjoko 'LiquidWorm' Krstic

7,2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: Service Center

Affected Version From: 2.2.5 (R596)

Affected Version To: 2.2.5 (R596)

Patch Exists: NO

Related CWE: N/A

CPE: a:native_instruments:service_center:2.2.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows XP Professional SP3 (English)

2010

Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability

The Native Instruments's Service Center suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change(write)) for 'Everyone', for the installed files ServiceCenter.exe and Reloader.exe.

Mitigation:

Ensure that the permissions for ServiceCenter.exe and Reloader.exe are set to read-only for all users.

Source

Exploit-DB raw data:

 Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability


 Vendor: Native Instruments GmbH
 Product web page: http://www.native-instruments.com
 Affected version: 2.2.5 (R596)

 Summary: The NI Service Center is a service used for Product Activation.

 Desc: The Native Instruments's Service Center suffers from an elevation of
 privileges vulnerability which can be used by a simple user that can change
 the executable file with a binary of choice. The vulnerability exist due to
 the improper permissions, with the "C" flag (Change(write)) for "Everyone",
 for the installed files ServiceCenter.exe and Reloader.exe.

 Tested on: Microsoft Windows XP Professional SP3 (English)


 Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com
 Zero Science Lab - http://www.zeroscience.mk


 Advisory ID: ZSL-2010-4981
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4981.php

 06.11.2010


 PoC:

----------------------------------------------------------------------------

 C:\Program Files\Native Instruments\Service Center>dir
  Volume in drive C has no label.
  Volume Serial Number is 7C64-FE80

  Directory of C:\Program Files\Native Instruments\Service Center

 07.11.2010  19:52    <DIR>          .
 07.11.2010  19:52    <DIR>          ..
 05.11.2010  17:58    <DIR>          conf
 05.11.2010  17:58    <DIR>          Documentation
 05.11.2010  17:57           738.632 Reloader.exe
 05.11.2010  17:58        10.650.440 ServiceCenter.exe
                2 File(s)     11.389.072 bytes
                4 Dir(s)   9.880.768.512 bytes free

 C:\Program Files\Native Instruments\Service Center>cacls ServiceCenter.exe
 C:\Program Files\Native Instruments\Service Center\ServiceCenter.exe BUILTIN\Administrators:F
                                                                      Everyone:C
                                                                      NT AUTHORITY\SYSTEM:F


 C:\Program Files\Native Instruments\Service Center>cacls Reloader.exe
 C:\Program Files\Native Instruments\Service Center\Reloader.exe BUILTIN\Administrators:F
                                                                 Everyone:C
                                                                 NT AUTHORITY\SYSTEM:F


 C:\Program Files\Native Instruments\Service Center>

----------------------------------------------------------------------------