Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 13 May 2016 00:20:44 +0100
From: VoidSec <voidsec@...dsec.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request for VirIT Explorer v.8.1.68 Local Privilege Escalation

Request a CVE ID for VirIT Explorer Lite & Pro v.8.1.68 - Local Privilege Escalation (SYSTEM Privilege)/Arbitrary Code Execution

Exploit Author: Paolo Stagno - voidsec@...dsec.com
Vendor Homepage: http://www.tgsoft.it
Version: VirIT Explorer Lite & Pro v.8.1.68
CVSS v2: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C)

Overview
---- 
Vir.IT eXplorer [1] is an AntiVirus, AntiSpyware and AntiMalware software made in Italy and developed by TG Soft S.a.s.

A major flaws exists in the last version of Vir.IT eXplorer, this vulnerability allow a local attacker,
to execute arbitrary code in the context of the application with SYSTEM privilege.

Details
---- 
The flaw resides in the viritsvclite Service due to bad privileges for the main Vir.IT folder, by default, any user (even guest) will be able to 
replace, modify or alter the file. This would allow an attacker to inject code or replace the executable and have it run in the context of the system.

This would allow a complete compromise of the system on which the antivirus was installed; an attacker can replace the executable, 
reboot the system and it would then compromise the machine. As NT AUTHORITY\SYSTEM is the highest privilege level on a Windows machine, 
this allows a total control and access to the system.

Services: viritsvclite
Folder: %SYSTEMDRIVE%\VEXPLite
Executable: %SYSTEMDRIVE%\VEXPLite\viritsvc.exe

[2] icacls.exe VEXPLite
C:\VEXPLite Everyone:(OI)(CI)(F)    <=================== Vulnerable
            BUILTIN\Administrators:(I)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
            BUILTIN\Users:(I)(OI)(CI)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)
            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Exploit
---- 
https://gist.github.com/VoidSec/9971092829dd1fec146e1595843aae65
https://www.youtube.com/watch?v=5a09efEvjTk (video proof)

Remediation
---- 
Remove the permissions on the VEXPLite folder, all of its files and on the viritsvc.exe Service executables to allow only
privileged users to alter the files, apply vendor patch once distributed.

Footnotes
---- 
[1] http://www.tgsoft.it/english/prodotti_eng.asp
[2] https://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx

----

*VoidSec *| voidsec@...dsec.com <mailto:voidsec@...dsec.com> |
http://voidsec.com <http://voidsec.com/>

/The information contained in this document is confidential and/or
exclusive and is intended only for the use of the addressee.
Unauthorized use, disclosure or copying of this information, or any part
thereof is strictly prohibited and may be unlawful./

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.