what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

My Remote File Server Privilege Escalation

My Remote File Server Privilege Escalation
Posted Oct 30, 2009
Authored by Francis Provencher

My Remote File Server suffers from a local privilege escalation vulnerability.

tags | advisory, remote, local
SHA-256 | b0d5863983aebf57733c7be0f0976c34e42a4ed7233c11d0fb111626926f6f12

My Remote File Server Privilege Escalation

Change Mirror Download
#####################################################################################

Application:  My Remote File Server
           
Platforms:    Windows XP Professional SP2

Exploitation: Privilege Escalation

Date:         2009-10-26

Author:       Francis Provencher (Protek Research Lab's)

         
#####################################################################################

1) Introduction
2) Technical details
3) The Code (N/A)


#####################################################################################

===============
1) Introduction
===============
   

My Remote Files Server Edition is special Windows software that helps to organize simultaneous access to shared files on a server computer from different

computers in your local network and from the Internet.


(from smrksoft website)


2009/10/30 Vendor contacted
2009/10/30 Vendor response (That not a security hole but a feature....)
2009/10/30 Release this advisory

#####################################################################################

============================
2) Technical details
============================

My Remote File Server
Build 2.4.1

All files under the install folder have Create access control for BUILTIN\users and can be replace with malicious files.

This application have two modes;

Standalone mode; You will gain the privilege of the user that start the application
Service mode; You will gain administrative privilege


The application have an other hole, In the install folder we can find the private key for SSL communication and certificate is also availlable. Builtin\user can use it to decrypt communication with the server or impersonate them....


... snip ...

C:\Program Files\Remote Files Server\mserver.exe BUILTIN\Utilisateurs:C
                                                 BUILTIN\Utilisateurs avec pouvoir:C
                                                 BUILTIN\Administrateurs:F
                                                 AUTORITE NT\SYSTEM:F
                                                 FUZZYXP\test:C
... snip ...

C:\>WHOAMI.EXE
FUZZYXP\test

C:\>telnet 127.0.0.1 4444


C:\>WHOAMI.EXE
WHOAMI.EXE
AUTORITE NT\SYSTEM





#####################################################################################

===========
3) The Code
===========

N\A


#####################################################################################
(PRL-2009-16)



__________________________________________________________________
Looking for the perfect gift? Give the gift of Flickr!

http://www.flickr.com/gift/
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close