HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation

Aerosol · December 15, 2014

# Exploit Title: HTCSyncManager 3.1.33.0  (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
# Date: 12/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
#Affected version: 3.1.33.0
#Tested on:  Windows 7  (FR)


 HTC Synchronisation manager for devices HTC

Vulnerability Details
There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change 
the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.


C:\Users\samir>sc qc HTCMonitorService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: HTCMonitorService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HTCMonitorService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
                                                                    BUILTIN\Administrateurs:(I)(F)
                                                                    BUILTIN\Utilisateurs:(I)(RX)

1 fichiers correctement traités ; échec du traitement de 0 fichiers

Source

Sign In

HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation

Recommended Posts

Aerosol

Join the conversation

Browse

Activity

Pages