vendor:
OpenClinic GA
by:
Alessandro Salzano
N/A
CVSS
HIGH
Local Privilege Escalation
269
CWE
Product Name: OpenClinic GA
Affected Version From: 5.194.18
Affected Version To: Latest
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested: Microsoft Windows 10 Enterprise x64
2021
OpenClinic GA 5.194.18 – Local Privilege Escalation
By default, the Authenticated Users group has the modify permission to OpenClinic folders/files. A low privilege account can rename mysqld.exe or tomcat8.exe files located in bin folders and replace them with a malicious file that would connect back to an attacking computer, giving system-level privileges. This is possible because the service is running as Local System. Although a low privilege user cannot restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also has unquoted service path issues.
Mitigation:
The vendor should fix the permissions on the OpenClinic folders/files to prevent modification by low privilege accounts. Additionally, the vendor should fix the unquoted service path issues.