By Astrid Watson & Will Hunt 13.11.2015
At 7Safe our experts are keen to share their latest learnings and findings. Will Hunt, one of our key Penetration Testers and Digital Forensics Consultants, has taken time to discover insecure service binary vulnerabilities in the software referenced below from three different vendors; Liebert, Proxycap and Epson. The vulnerabilities exploited are identical in technical context across the vendors, allowing low privilege users to escalate their privileges and resultantly execute arbitrary code as an Administrator (technically speaking, with SYSTEM privileges).
Will’s findings and associated vendor fixes (where applicable) are:
Liebert MultiLink Automated Shutdown v4.2.4 – Privilege Escalation
CVE-2015-7260 (link pending)
After installing the software (used for the remote configuration of UPS settings and graceful shutdowns), the SYSTEM run service ‘LiebertM’ is installed. This points to a binary with weak permissions, allowing a low privilege account the ability to replace the binary and execute arbitrary code as SYSTEM.
After unsuccessfully attempting to contact the vendor on 28th July 2015 and CERT’s unsuccessful attempts thereafter, there is currently no known plan for a fix.
If you use this software, please check here for any future updates the vendor may provide.
Proxycap v5.27 – Privilege Escalation Vulnerability
When Proxycap v5.27 is installed in a non-default location (i.e. not C:\Program Files\Proxy Labs\ProxyCap\ or C:\Program Files (x86)\Proxy Labs\ProxyCap\ ), the “Authenticated Users” group has modify access to the executable file the service (pcapsvc) points to, resulting in the ability for a low privilege user to execute arbitrary code on the operating system. A low privilege account can therefore replace this binary to execute arbitrary code as SYSTEM.
Proxy Labs have now released v5.28 which remediates the issue and can be found here.
EPSON Network Utility – Privilege Escalation
The SYSTEM run service installed with the Epson Network Utility v4.10 software points to a binary with weak permissions. A low privilege account can replace this binary to execute arbitrary code as SYSTEM.
Further information and details of fix:
Vulnerability Note #672500
EPSON Security Notification
7Safe is a leading provider of cyber security and digital investigation advice, education and technical services to all technology-enabled organisations.