what you don't know can hurt you

Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation

Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation
Posted Oct 10, 2014
Authored by LiquidWorm | Site zeroscience.mk

The O2 Connection Manager's service suffers from an unquoted search path issue impacting the Import WiFi 'TGCM_ImportWiFiSvc' service for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

tags | exploit, arbitrary, local, root
systems | windows
MD5 | 81b82e6ff0c16b43b4e87e78b4d57923

Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation

Change Mirror Download

Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation


Vendor: Telefonica S.A.
Product web page: http://www.telefonica.com | http://www.o2.co.uk
Affected version: 8.7.6.792

Summary: O2 Connection Manager will help you to manage your internet
connections by getting you connected to the fastest available network.
Automatically connect you to the fastest available network including
your home broadband if you have a wireless router.

Desc: The O2 Connection Manager's service suffers from an unquoted
search path issue impacting the Import WiFi 'TGCM_ImportWiFiSvc'
service for Windows. This could potentially allow an authorized but
non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path
undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If
successful, the local user’s code would execute with the elevated
privileges of the application.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2014-5200
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5200.php


22.09.2014

---


C:\>sc qc TGCM_ImportWiFiSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: TGCM_ImportWiFiSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TGCM_ImportWiFiSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\>icacls "C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe"
C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\>

---
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    28 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close