Blue Frost Security GmbH
https://www.bluefrostsecurity.de/              
research(at)bluefrostsecurity.de
BFS-SA-2016-002
25-April-2016
________________________________________________________________________________

Vendor:                 Samsung, www.samsung.com
Affected Products:      SW Update
Affected Version:       <= 2.2.7.22
Vulnerability:          Insecure ACLs on SW Update Service Directory
CVE ID:                 n/a
OVE ID:                 OVE-20160530-0004
Vendor ID:              SI-6041
________________________________________________________________________________

I.   Impact

If the SW Update software is installed on a Windows system, any
authenticated
user can escalate privileges to become the SYSTEM user by placing a crafted
DLL file in the SW Update Service directory and triggering or waiting
for the
next system reboot.
________________________________________________________________________________

II.  Vulnerability Details

Samsung consumer computers come with a preinstalled software called SW
Update.
This software is used to install and update all the necessary drivers and
software.

The SW Update software installs a Windows service called SWUpdateService
which
is running as SYSTEM. The service binary SWMAgent.exe is located in the
directory "C:\ProgramData\Samsung\SW Update Service\".

The ACLs set on this directory allow any authenticated user to create
new files
as can be seen by the FILE_WRITE_DATA access right below:

C:\>cacls "c:\Programdata\Samsung\SW Update Service"
c:\Programdata\Samsung\SW Update Service NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                                        
BUILTIN\Administrators:(OI)(CI)(ID)F
                                         CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                         BUILTIN\Users:(OI)(CI)(ID)R
                                         BUILTIN\Users:(CI)(ID)(special
access:)
                                                       FILE_WRITE_DATA
                                                       FILE_APPEND_DATA
                                                       FILE_WRITE_EA
                                                       FILE_WRITE_ATTRIBUTES

When the service is started it tries to load several non-existing DLL files
from the service directory such as MSIMG32.dll, UxTheme.dll or USERENV.dll.

A user can place a malicious DLL file with one of the expected names into
that directory and wait until the service is restarted. The service can not
be restarted by normal users but an attacker could just reboot the system or
wait for the next reboot to happen.

Afterwards his malicious DLL file would be loaded by the service which is
running with SYSTEM privileges which would give the attacker full control
over the machine.
________________________________________________________________________________

III. Mitigation

To mitigate the issue the ACL on the service directory should be adjusted to
prevent normal users from writing to this directory or install the official
update to version 2.2.7.24.
________________________________________________________________________________

IV.  Disclosure Timeline

- 2016-04-25 contacted mobile.security@samsung.com and requested a security
             contact for consumer desktop / notebook software
- 2016-04-29 Samsung confirmed that the advisory was received and that
it will
             be analyzed
- 2016-05-27 Requested status update
- 2016-05-30 Samsung confirmed that issue "SI-6041" has been fixed starting
             with version 2.2.7.24
- 2016-05-30 Requested OVE ID: OVE-20160530-0004 was assigned
________________________________________________________________________________

Credit:
Bug found by Benjamin Gnahm (@mitp0sh) of Blue Frost Security GmbH.
________________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other
reproduction or publication, in printing or otherwise, contact
research(at)bluefrostsecurity de for permission. Use of the advisory
constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no
event shall Blue Frost Security be liable for any damages whatsoever
including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Blue Frost Security has been advised of the
possibility of such damages.

Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of
use apply.