New User, Welcome!     Login

Next Page >>

Local System

[UPDATE] NSOADV-2010-001: Panda Security Local Privilege Escalation

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

The 32bit Version of Panda Security  for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.


NSOADV-2010-001: Panda Security Local Privilege Escalation

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

The 32bit Version of Panda Security  for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.


Local privilege escalation vulnerability in Cisco VPN client

=======
Summary
=======
Name: Permissively-ACLed cvpnd.exe allows interactive users to run
arbitrary binaries with Local System Privileges
Release Date: 16 August 2007
Reference: NGS00503
Discover: Dominic Beecher <dominic@ngssoftware.com>
Vendor: Cisco
Vendor Reference: cisco-sa-20070815-vpnclient

Elevation of Privilege Vulnerability in iTunes for Windows

for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data\
{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The
installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for
32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other
files. After the installer writes these files to the directory, it will execute
DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a
privileged user.

On a standard Windows installation, unprivileged users have write-access to
"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes
installation, an unprivileged attacker can create these directories and place a

Insomnia : ISVA-081020.1 - Altiris Deployment Server Agent - Privilege Escalation

Altiris packages to allow the Deployment Server to manage software
for machines. It is usually installed to 
C:\Program Files\Altiris\AClient and the main running agent 
is called AClient.exe. 

By default the agent runs under the Local System account and is
vulnerable to numerous Shatter Attack vulnerabilities leading
to an attacker running code under the Local System privilege.

We reported a first instance of this vulnerability which was
then patched, we then alerted Symantec to the second vulnerability.

Cisco Security Advisory: Local Privilege Escalation Vulnerabilities in Cisco VPN Client

Summary
=======

Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows
that may allow unprivileged users to elevate their privileges to those of
the LocalSystem account.

A workaround exists for one of the two vulnerabilities disclosed in this
advisory.

Cisco has made free software available to address these vulnerabilities

AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities

Details:
========
It has been discovered that the lastest build of Avast Free Antivirus Version 8 is vulnerable to HTML code injection 
which eventually leads to local command / shell execution. During the testing, I was able to succesfully bypass the 
AVAST Sandbox and read/load and execute any file/application from local system having the local admin priviledges 
which makes this bug alot more critical. 

Initially the bug was an HTML code injection flaw only however, with more indepth analysis, it was revealed that the 
severity of this vulnerability is far more critical. A simple <a href> tag bypasses the AVAST Sandbox and drops a 
locall CMD shell on the system where AVAST is installed. You can technically access any file / application, execute it. 

AVAST Internet Security Suite - Persistent Vulnerabilities

Details:
========
It has been discovered that the avast Internet Security Suite is vulnerable to persistent code injection and local command path injection vulnerability. 
During the testing, I was able to successfully read/load and execute any file/application from local system having the local admin privileges.

Initially the bug was an HTML code injection flaw only however, with more deep analysis, it was revealed that the severity of 
this vulnerability is far more differnet. A simple <a href> tag bypasses the AVAST Sandbox and drops a locall CMD shell on the 
system where AVAST is installed. You can technically access any file / application, execute it. It seems like We can control explorer.exe and 
through that we are even able to browse local folders and access any file, we can even browse 

RE: Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)

1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus
2008by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are
started
under LocalSystem account. There is no protection of service files.
It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or
to
get privileges or any user (including system administrator) who

Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)

1.  During  installation  of  Panda Antivirus 2008 the permissions for 
installation folder %ProgramFiles%\Panda Security\Panda Antivirus 2008\
by  default  are  set  to Everyone:Full Control. Few services  
(e.g. PAVSRV51.EXE) are started from this folder. Services are started 
under LocalSystem  account. There is no protection of service files. It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
get privileges or any user (including system administrator) who logons
to vulnerable host. This can be exploited by:


SEC Consult SA-20090525-3 :: SonicWALL Global VPN Client Local Privilege Escalation Vulnerability

Vulnerability overview:
-----------------------

A local privilege escalation vulnerability exists in SonicWALL Global
VPN client. By exploiting this vulnerability, a local attacker could
execute code with LocalSystem privileges.


Vulnerability description:
--------------------------


[security bulletin] HPSBUX03001 SSRT101382 rev.1 - HP-UX Whitelisting (WLI), Local System Integrity Risk

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04227671
Version: 1

HPSBUX03001 SSRT101382 rev.1 - HP-UX Whitelisting (WLI), Local System
Integrity Risk

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.


ZDI-11-351 : WellinTech KingView HistoryServer.exe Opcode 3 Parsing Remote Code Execution Vulnerability

service allocates memory from the heap based on the 10th and 11th bytes
of the packet (element count). Packet data is then copied into the
allocated buffer based on the first two bytes of the packet (packet
size). These values can be manipulated to create a heap overflow and and
attacker can exploit this to remotely execute arbitrary code in the
context of the service (Local System).

- -- Vendor Response:

WellinTech has issued an update to correct this vulnerability. More
details can be found at:

NGS00051 Technical Advisory: Cisco VPN Client Privilege Escalation

The 64 Bit Cisco VPN Client for Windows 7 is affected by a local privilege escalation vulnerability that allows non-privileged users to gain administrative privileges.

=================
Technical Details
=================
Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Cisco VPN Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to cvpnd.exe (the executable for the Cisco VPN Service) allow unprivileged, interactive users to replace cvpnd.exe with any file.

Because the Cisco VPN Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges.

It is possible to work around this vulnerability without a software upgrade.


EPSON Status Monitor 3 local privilege escalation vulnerability

        BINARY_PATH_NAME   : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : EPSON V5 Service4(01)
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem

C:\>CACLS "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE"
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE Everyone:F <------[ :( !!!]

C:\>SC QC EPSON_PM_RPCV4_01

Multiple MicroWorld products insecure directory permissions

     %programfiles%\x-spam\spooler.exe


All mentioned binaries are running under NT AUTHORITY\SYSTEM account. 
Replacing any of those programs with appropriate (i.e. cmd.exe) will 
spawn process with Local System privileges on next reboot. Because 
setup/installation procedure sets insecure default permissions 
(Everyone:Full Control) on eScan/MailScan/X-Spam installation directory 
any LUA user can perform this task. NOTE: some binaries won't spawn 
visible windows.


Re: Local Privilege Escalation Vulnerabilities in Lotus Notes Client

--Wednesday, August 22, 2007, 2:25:28 PM, you wrote to bugtraq@securityfocus.com:

kvgc> Local Privilege Escalation Through Default ntmulti.exe File Permissions

kvgc> Unprivileged users can execute arbitrary programs that run
kvgc> with the privileges of the LocalSystem account by replacing the
kvgc> Multi-user Cleanup Service executable with arbitrary executables.
kvgc> This vulnerability exists because the default file permissions
kvgc> assigned during installation to ntmulti.exe (the executable for
kvgc> the Multi-user Cleanup Service) allow unprivileged, interactive
kvgc> users to replace ntmulti.exe with any file.

Vulnerability in Microsoft Security Essentials

Hi @ll,

versions of Microsoft Security Essentials before the current
v4.2 (see <https://support.microsoft.com/kb/2805304>) have a
vulnerability that could lead to execution of arbitrary code
in the security context of the LocalSystem account (almost like
<https://support.microsoft.com/kb/2781197> alias
<http://technet.microsoft.com/security/bulletin/ms13-034>).

The "UninstallString" written to


Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities

Security Risk:
==============
1.1
The security risk of the local command/path inject web vulnerability is estimated as high(-).
Local attackers are able to inject own system specific commands but can also unatuhorized request local system path values to 
compromise the apple iOS web-application.

1.2
The security risk of the second local command/path inject web vulnerability is estimated as high(-). Local attackers are able to 
inject own system specific commands but can also unatuhorized request local system path values to 

Local Privilege Escalation Vulnerabilities in Lotus Notes Client

Local Privilege Escalation Through Default ntmulti.exe File Permissions

Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Multi-user Cleanup Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to ntmulti.exe (the executable for the Multi-user Cleanup Service) allow unprivileged, interactive
users to replace ntmulti.exe with any file.

Because the Multi-user Cleanup Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges.



Omnistar Document Manager v8.0 - Multiple Vulnerabilities

                        [+] interface=


1.2
A local file include vulnerability is detected in Omnistardrives Omnistar Document Manager v8.0 web application.
The vulnerability allows a local privileged user account to include and load local system files. The vulnerability 
is located in the index module with the bound vulnerable area parameter request. Successful exploitation of the 
vulnerability results in a web server compromise via file load or information disclosure via local system file include.


Vulnerable Section(s):

CVE-2013-6795 Vulnerability in the Rackspace Windows Agent and Updater

A vulnerability in the Rackspace Windows Agent and Updater was discovered that allows for modified Agent binaries to be remotely uploaded (without authentication) to Rackspace Cloud Server guest instances. Modified Agent binaries are processed as an update for the Agent and arbitrary code can then be executed after the service is restarted. CloudPassage disclosed the vulnerability to Rackspace and CVE-2013-6795 was issued by MITRE Corporation.

The Windows Agent and Updater is used by Windows Cloud Server instances on OpenStack Nova to handle boot configurations for Windows guests running on the Xen hypervisor. The agent was created by Rackspace for their Windows instances and both the Agent and Updater services run under the LocalSystem account.

Previous versions of the Updater (before 1.2.6.0) allowed for unsigned agent updates utilizing a specially crafted .NET remote call to TCP port 1984. The Update service takes a single .NET serializable object with a URL and an MD5 checksum. Once the sequence is triggered, a ZIP file is downloaded, verified using the checksum, and extracted into the program folder of the Agent service before the service is restarted. No authentication is performed by the .NET remoting service, making it possible to deploy a modified Agent update that overwrites the running Agent service binary. A proof of concept tool was developed to trigger the sequence with an arbitrary download URL using the original .NET libraries from a target.

Full details here: http://blog.cloudpassage.com/2013/11/18/cve-2013-6795-vulnerability-rackspace-windows-agent-updater/

CloudPassage responsibly disclosed the finding to Rackspace and, as of version 1.2.6.0, the Updater has been changed to use IPC with XenStore and no longer listens on port 1984. Rackspace recommends that users running the Windows agent less than version 1.2.6.1 update to the latest version, available on GitHub at https://github.com/rackerlabs/openstack-guest-agents-windows-xenserver.


CSA-L03: Linux kernel vmsplice unchecked user-pointer dereference

This vulnerability leads to indirect reading of arbitrary kernel memory.


===[ IMPACT ]===========================================================

Vulnerabilities may lead to local system compromise including execution
of arbitrary machine code in the context of running kernel.

Vulnerability #1 has been successfully exploited on Linux 2.6.24.
Vulnerability #2 not tested.


Secunia Research: Bournal Insecure Temporary Files Security Issue

====================================================================== 
2) Severity 

Rating: Not critical
Impact: Privilege escalation
Where:  Local system

====================================================================== 
3) Vendor's Description of Software 

"Bournal is a bash script that allows you to keep a personal,

Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

Stefan,

For you information:

Cached domain accounts on a local system are not stored in the SAM.  They 
are stored in the SECURITY registry hive.  When a cached domain user logs 
in to the system, they do not authenticate against the SAM (As you can see 
in my article, I am not editing the SAM).  

-----------------------------------------------------

Cisco Security Advisory: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client

Local Privilege Escalation Vulnerability
+---------------------------------------

Unprivileged users can elevate their privileges to those of the
LocalSystem account by enabling the Start Before Logon (SBL) feature
and interacting with the Cisco AnyConnect Secure Mobility Client
graphical user interface in the Windows logon screen.

To prevent this issue, fixed versions of the Cisco AnyConnect Secure
Mobility Client limit the amount of interaction that is possible in

rPSA-2010-0070-1 cpio tar

    rPath Appliance Platform Linux Service 2
    rPath Linux 2

Rating: Minor
Exposure Level Classification:
    Local System User Deterministic Denial of Service
Updated Versions:
    cpio=conary.rpath.com@rpl:2/2.9-1.2-1
    tar=conary.rpath.com@rpl:2/1.20-2.1-1

rPath Issue Tracking System:

RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

>change permissions / passwords for another user or another user, thus
>getting full admin rights on all systems for a long period of time. Plus whatever
>havoc might be caused by having the ability to change rights on fileshares to
>allow the new domain admin to see confidential files..

People, PLEASE at least take the time to read the OP before just adding comments.  You don't get any "temporary domain admin privileges."  Period.   Authenticating against cached domain credentials on a local system cannot be used for ANYTHING other than logging on to the local system when a controller is not available.  Period.   Now, please read this part carefully:  *You must be a local administrator to use utilities to overwrite the cached verifier of cached credentials.*  The most you can do is to allow yourself to log on as an account that has local admin.  YOU ARE ALREADY A LOCAL ADMIN AT THIS POINT.

1) You MUST be local admin to access the cached domain credentials. 
2) You can't log on to any network resources as the cached user.
3) You can't long on to another workstation as the cached user.
4) You can't access any EFS or other user-based data as the cached user.

rPSA-2007-0155-1 openssl openssl-scripts

rPath Security Advisory: 2007-0155-1
Published: 2007-08-10
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
    Local System User Non-deterministic Information Exposure
Updated Versions:
    openssl=/conary.rpath.com@rpl:devel//1/0.9.7f-10.7-1
    openssl-scripts=/conary.rpath.com@rpl:devel//1/0.9.7f-10.7-1

References:

Secunia Research: Quicksilver Forums "mysqldump" Password Disclosure

====================================================================== 
2) Severity 

Rating: Less critical
Impact: Exposure of sensitive information
Where:  Local system

====================================================================== 
3) Vendor's Description of Software 

"Quicksilver Forums is a fast, secure, powerful PHP/MySQL based forum

Next Page>>

Copyright © 1995-2014 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!