K7 TotalSecurity version 15.1.0.289 suffers from an unquoted service path privilege escalation vulnerability.
e4e1925f14069c34fd9fc8d74cd27e0486f57e239bc7f945c34c0d26c4af622b
=====================================================
# K7 TotalSecurity v15.1.0.289 - Unquoted Service Path Privilege Escalation
=====================================================
# Vendor Homepage: https://www.k7computing.com
# Date: 24 Oct 2016
# Version : 15.1.0.289
# Software Link: https://www.k7computing.com/eng/downloads
# Tested on: Windows 7 Ultimate SP1 (EN)
# Author: Heliand Dema
# Contact: heliand@cyber.al
=====================================================
K7 TotalSecurity installs several services called 'K7CrvSvc' ,
'K7EmlPxy' , 'K7RTScan' , 'K7FWSrvc' , 'K7TSMngr' , 'K7PSSrvc' ,
'K7SpmSrc' with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local user
to execute arbitrary code with elevated privileges on the system.
C:\Users\helik>sc qc K7CrvSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7CrvSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7CrvSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7Carnivore Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\helik>sc qc K7EmlPxy
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7EmlPxy
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7EmlPxy.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7Computng - EMail Proxy Server
DEPENDENCIES : K7TSMngr
: K7FWHlpr
SERVICE_START_NAME : LocalSystem
C:\Users\helik>sc qc K7RTScan
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7RTScan
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7RTScan.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7RealTime AntiVirus Services
DEPENDENCIES : K7TSMngr
: K7Sentry
SERVICE_START_NAME : LocalSystem
C:\Users\helik>sc qc K7FWSrvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7FWSrvc
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7FWSrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7Firewall Services
DEPENDENCIES : K7TSMngr
SERVICE_START_NAME : LocalSystem
C:\Users\helik>sc qc K7TSMngr
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7TSMngr
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7TSMngr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7TotalSecurity Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\Users\helik>sc qc K7PSSrvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7PSSrvc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7PSSrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7Privacy Services
DEPENDENCIES : K7TSMngr
SERVICE_START_NAME : LocalSystem
C:\Users\helik>sc qc K7SpmSrc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: K7SpmSrc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\K7
Computing\K7TSecurity\K7SpmSrc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : K7SpmSrc
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
====Proof-of-Concept====
To properly exploit this vulnerability, the local attacker must insert
an executable file in the path of the service. Upon service restart or
system reboot, the malicious code will be run with elevated privileges.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed