what you don't know can hurt you

Comodo Dragon Browser Privilege Escalation

Comodo Dragon Browser Privilege Escalation
Posted Oct 6, 2016
Authored by Yunus YILDIRIM

Comodo Dragon Browser suffers from an unquoted service path privilege escalation vulnerability.

tags | exploit
MD5 | 02779e603c0b5ad96166612cd88cf7c5

Comodo Dragon Browser Privilege Escalation

Change Mirror Download
 Exploit Title: Comodo Dragon Browser Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: https://www.comodo.com
# Software Link: https://www.comodo.com/home/browsers-toolbars/browser.php
# Version: Software Version <= 52.15.25.663
# Tested on: Windows 7 x86/x64

1. Description

Comodo Dragon Browser Update Service (DragonUpdater) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.


2. Proof of Concept

C:\>sc qc DragonUpdater
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DragonUpdater
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COMODO Dragon Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


3. Exploit:

A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.


Additional notes :

Fixed in version 52.15.25.664
https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-v521525664-is-now-available-for-download-t116786.0.html

Vulnerability Disclosure Timeline:
=========================
24/09/2016 - Contact With Vendor
26/09/2016 - Vendor Response
03/10/2016 - Release Fixed Version

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    8 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close