Reason Core Security 1.1.2 Privilege Escalation
Posted on 14 November 2016
===================================================== [#] Exploit Title : Reason Core Security - Unquoted Service Path Privilege Escalation [#] Affected Product(s): Reason Core Security v1.1.2 - Software [#] Exploitation Technique: Local [#] Severity Level: Medium [#] Tested OS : Windows 10 ===================================================== [#] Product & Service Introduction: =================================== Reason Core Security is an anti-malware program designed by developers HerdProtect. This program is intended for use with your existing antivirus software and acts as a second layer of defense in the event that the malware slips past the real-time protection of your antivirus program. (Copy of the Vendor Homepage: https://www.reasoncoresecurity.com/ ) [#] Technical Details & Description: ==================================== The application suffers from an unquoted search path issue in the official Reason Core Security v1.1.2 software. The issue allows authorized but unprivileged local users to execute arbitrary code with system privileges on the active system. The attack vector of the issue is local. [#] Proof of Concept (PoC): =========================== The issue can be exploited by local attackers with restricted system user account or network access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. -- PoC Exploit -- C:Program FilesReasonSecurity>sc qc rsEngineSvc [SC] QueryServiceConfig reussite(s) SERVICE_NAME: rsEngineSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:Program FilesReasonSecurity sEngineSvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Reason Core Security Engine Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [#] Vulnerability Disclosure Timeline: ====================================== 2016-11-07 : Discovery of the Vulnerability 2016-11-07 : Contact the Vendor (No Response Support Team) 2016-11-14 : Public Disclosure [#] Disclaimer: =============== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Domain: www.zwx.fr Contact: msk4@live.fr Social: twitter.com/XSSed.fr Feeds: www.zwx.fr/feed/ Advisory: www.vulnerability-lab.com/show.php?user=ZwX packetstormsecurity.com/files/author/12026/ cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/ 0day.today/author/27461 Copyright (c) 2016 | ZwX - Security Researcher (Software & web application)