HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation

2014-12-15 14:05:08

# Exploit Title: HTCSyncManager 3.1.33.0 (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
# Date: 12/12/2014
#Author: Hadji Samir [email protected]
#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
#Affected version: 3.1.33.0
#Tested on: Windows 7 (FR)


HTC Synchronisation manager for devices HTC

Vulnerability Details
There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change
the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.


C:\Users\samir>sc qc HTCMonitorService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: HTCMonitorService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTCMonitorService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)

1 fichiers correctement traités ; échec du traitement de 0 fichiers

Fixes

No fixes

In order to submit a new fix you need to be registered.