exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Samsung SW Update Insecure ACLs

Samsung SW Update Insecure ACLs
Posted Jun 13, 2016
Authored by Benjamin Gnahm

Samsung's SW Update versions and below suffer from having insecure ACLs on its directory allowing any authenticated user to escalate their privileges.

tags | exploit
SHA-256 | 4fd7871ec675d6f7a6b4d066d734cda6f750bb081f8734269b785590c3ec329e

Samsung SW Update Insecure ACLs

Change Mirror Download
Blue Frost Security GmbH

Vendor: Samsung, www.samsung.com
Affected Products: SW Update
Affected Version: <=
Vulnerability: Insecure ACLs on SW Update Service Directory
CVE ID: n/a
OVE ID: OVE-20160530-0004
Vendor ID: SI-6041

I. Impact

If the SW Update software is installed on a Windows system, any
user can escalate privileges to become the SYSTEM user by placing a crafted
DLL file in the SW Update Service directory and triggering or waiting
for the
next system reboot.

II. Vulnerability Details

Samsung consumer computers come with a preinstalled software called SW
This software is used to install and update all the necessary drivers and

The SW Update software installs a Windows service called SWUpdateService
is running as SYSTEM. The service binary SWMAgent.exe is located in the
directory "C:\ProgramData\Samsung\SW Update Service\".

The ACLs set on this directory allow any authenticated user to create
new files
as can be seen by the FILE_WRITE_DATA access right below:

C:\>cacls "c:\Programdata\Samsung\SW Update Service"
c:\Programdata\Samsung\SW Update Service NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F


When the service is started it tries to load several non-existing DLL files
from the service directory such as MSIMG32.dll, UxTheme.dll or USERENV.dll.

A user can place a malicious DLL file with one of the expected names into
that directory and wait until the service is restarted. The service can not
be restarted by normal users but an attacker could just reboot the system or
wait for the next reboot to happen.

Afterwards his malicious DLL file would be loaded by the service which is
running with SYSTEM privileges which would give the attacker full control
over the machine.

III. Mitigation

To mitigate the issue the ACL on the service directory should be adjusted to
prevent normal users from writing to this directory or install the official
update to version

IV. Disclosure Timeline

- 2016-04-25 contacted mobile.security@samsung.com and requested a security
contact for consumer desktop / notebook software
- 2016-04-29 Samsung confirmed that the advisory was received and that
it will
be analyzed
- 2016-05-27 Requested status update
- 2016-05-30 Samsung confirmed that issue "SI-6041" has been fixed starting
with version
- 2016-05-30 Requested OVE ID: OVE-20160530-0004 was assigned

Bug found by Benjamin Gnahm (@mitp0sh) of Blue Frost Security GmbH.

Unaltered electronic reproduction of this advisory is permitted. For all
reproduction or publication, in printing or otherwise, contact
research(at)bluefrostsecurity de for permission. Use of the advisory
acceptance for use in an "as is" condition. All warranties are excluded.
In no
event shall Blue Frost Security be liable for any damages whatsoever
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Blue Frost Security has been advised of the
possibility of such damages.

Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of
use apply.

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By