Zortam MP3 Media Studio 21.15 Privilege Escalation
Posted on 24 September 2016
# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation # Date: 23/09/2016 # Exploit Author: Tulpa # Contact: tulpa@tulpa-security.com # Author website: www.tulpa-security.com # Vendor Homepage: http://www.zortam.com/ # Software Link: http://www.zortam.com/download.html # Version: Software Version 21.15 # Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64 # Shout-out to carbonated and ozzie_offsec 1. Description: Zortam Mp3 Media Studio installs by default to "C:Program Files (x86)ortam Mp3 Media Studiozmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application. 2. Proof C:Program Filesortam Mp3 Media Studio>cacls zmmspro.exe C:Program Filesortam Mp3 Media Studiozmmspro.exe BUILTINUsers:F NT AUTHORITYSYSTEM:(ID)F BUILTINAdministrators:(ID)F BUILTINUsers:(ID)R 3. Exploit: Simply replace zmmspro.exe and wait for execution.