what you don't know can hurt you

Nero 7.10.1.0 Privilege Escalation

Nero 7.10.1.0 Privilege Escalation
Posted Nov 10, 2016
Authored by Boumediene Kaddour

Nero version 7.10.1.0 suffers from an unquoted service path privilege escalation vulnerability.

tags | exploit
MD5 | f3d6d080ca9fe17ad9006313628eb51d

Nero 7.10.1.0 Privilege Escalation

Change Mirror Download
# Exploit Title:  Nero 7 Unquoted Service Path Elevation Of Privilege
# Disclosure Date: 09/11/2016
# Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r
# http://www.realistic-security.org
# Version: Nero version 7.10.1.0
# Tested on: Windows 7 integral edition FR
# CVE : N/A

Vulnerability Details:
=====================
The nero 7 suffers from an unquoted search path issue impacting the
service "NBService" leading to arbitrary code execution, this could
potentially allow an authorized unprivileged user to invoke a malicious
peice of code with elevated privileges.
A successful exploit requires a local user to put its own code in the
path of the vulnerable application where it could potentially be
executed during the software startup or system reboot.

PoC
--
[PentestingSkills.BlackBox] a$? sc qc NBService
[SC] QueryServiceConfig rA(c)ussite(s)

SERVICE_NAME: NBService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Nero\Nero 7\Nero
BackItUp\NBService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NBService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

notice the path C:\Program Files (x86)\Nero\Nero 7\Nero
BackItUp\NBService.exe unquoted !!
a malicious local user could put in place its own executable as Nero.exe
under C:\Program Files (x86)\Nero\ to be then executed once the
application starts up or the system reboots.

sh311c0d3r

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close