exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Nero 7.10.1.0 Privilege Escalation

Nero 7.10.1.0 Privilege Escalation
Posted Nov 10, 2016
Authored by Boumediene Kaddour

Nero version 7.10.1.0 suffers from an unquoted service path privilege escalation vulnerability.

tags | exploit
SHA-256 | bad453dd996e32dcdd658e911ef7091ccb817266a006aad8aa09bc2e7fc877b3

Nero 7.10.1.0 Privilege Escalation

Change Mirror Download
# Exploit Title:  Nero 7 Unquoted Service Path Elevation Of Privilege
# Disclosure Date: 09/11/2016
# Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r
# http://www.realistic-security.org
# Version: Nero version 7.10.1.0
# Tested on: Windows 7 integral edition FR
# CVE : N/A

Vulnerability Details:
=====================
The nero 7 suffers from an unquoted search path issue impacting the
service "NBService" leading to arbitrary code execution, this could
potentially allow an authorized unprivileged user to invoke a malicious
peice of code with elevated privileges.
A successful exploit requires a local user to put its own code in the
path of the vulnerable application where it could potentially be
executed during the software startup or system reboot.

PoC
--
[PentestingSkills.BlackBox] a$? sc qc NBService
[SC] QueryServiceConfig rA(c)ussite(s)

SERVICE_NAME: NBService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Nero\Nero 7\Nero
BackItUp\NBService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NBService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

notice the path C:\Program Files (x86)\Nero\Nero 7\Nero
BackItUp\NBService.exe unquoted !!
a malicious local user could put in place its own executable as Nero.exe
under C:\Program Files (x86)\Nero\ to be then executed once the
application starts up or the system reboots.

sh311c0d3r
Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close