exploit the possibilities

Selea CarPlateServer 4.0.1.6 Local Privilege Escalation

Selea CarPlateServer 4.0.1.6 Local Privilege Escalation
Posted Jan 22, 2021
Authored by LiquidWorm | Site zeroscience.mk

Selea CarPlateServer (CPS) version 4.0.1.6 suffers from a local privilege escalation vulnerability.

tags | exploit, local
MD5 | 1fdb0ca0e6a83adb86d6020b489e504c

Selea CarPlateServer 4.0.1.6 Local Privilege Escalation

Change Mirror Download

Selea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation


Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: 4.0.1.6(210120)
4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)

Summary: Our CPS (Car Plate Server) software is an advanced solution that can
be installed on computers and servers and used as an operations centre. It can
create sophisticated traffic control and road safety systems connecting to
stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert
notifications directly to tablets or smartphones, it can receive and transfer
data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution
that offers full integration with main video surveillance software. Our CPS
software connects to the national operations centre and provides law enforcement
authorities with necessary tools to issue alerts. CPS is designed to guarantee
cooperation among different law enforcement agencies. It allows to create a
multi-user environment that manages different hierarchy levels and the related
division of competences.

Desc: The application suffers from an unquoted search path issue impacting the
service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software
application. This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the system
root path undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If successful, the
local user's code would execute with the elevated privileges of the application.

Tested on: Microsoft Windows 10 Enterprise
SeleaCPSHttpServer/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2021-5621
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php


08.11.2020

--


C:\Users\Smurf>sc qc "Selea CarPlateServer"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Selea CarPlateServer
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Selea CarPlateServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\Users\Smurf>
Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close