i>>?#--------------------------------------------------------#
#Exploit Title: Photo Nettoyeur 1.4.5 - Insecure File Permission
#Exploit Author : ZwX
#Exploit Date: 2018-09-28
#Vendor Homepage : http://www.marseillesoft.com/
#Link Software : http://www.marseillesoft.com/telecharger/
#Tested on OS: Windows 7 & Windows 10
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
#Website: http://zwx-pentester.fr/
#--------------------------------------------------------#


Technical Details & Description:
================================
The Photo Nettoyeur suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user 
that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full)'C' (Write change) 'M' (Modify) for 'Users' group.
This gives an authenticated attacker the ability to modify or overwrite any file in the directory 
with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the systeme


Proof of Concept (PoC):
=======================
For security demonstration or to reproduce follow the provided information and steps below to continue.

C:\>cacls PhotoNettoyeur
C:\PhotoNettoyeur BUILTIN\Administrateurs:(ID)F                             <---- Full access
                  BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F
                  AUTORITE NT\SystA"me:(ID)F
                  AUTORITE NT\SystA"me:(OI)(CI)(IO)(ID)F
                  BUILTIN\Utilisateurs:(OI)(CI)(ID)R
                  AUTORITE NT\Utilisateurs authentifiA(c)s:(ID)C
                  AUTORITE NT\Utilisateurs authentifiA(c)s:(OI)(CI)(IO)(ID)C   <---- Edit
				  
C:\PhotoNettoyeur>cacls PhotoNettoyeur.exe
PhotoNettoyeur.exe BUILTIN\Administrateurs:(ID)F                            <---- Full access
                   AUTORITE NT\SystA"me:(ID)F
                   BUILTIN\Utilisateurs:(ID)R
                   AUTORITE NT\Utilisateurs authentifiA(c)s:(ID)C              <---- Edit


C:\>icacls PhotoNettoyeur
PhotoNettoyeur BUILTIN\Administrateurs:(I)(F)                               <---- Full access
               BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F)
               AUTORITE NT\SystA"me:(I)(F)
               AUTORITE NT\SystA"me:(I)(OI)(CI)(IO)(F)
               BUILTIN\Utilisateurs:(I)(OI)(CI)(RX)
               AUTORITE NT\Utilisateurs authentifiA(c)s:(I)(M)
               AUTORITE NT\Utilisateurs authentifiA(c)s:(I)(OI)(CI)(IO)(M)     <---- Modify

C:\PhotoNettoyeur>icacls PhotoNettoyeur.exe
PhotoNettoyeur.exe BUILTIN\Administrateurs:(I)(F)                           <---- Full access
                   AUTORITE NT\SystA"me:(I)(F)
                   BUILTIN\Utilisateurs:(I)(RX)
                   AUTORITE NT\Utilisateurs authentifiA(c)s:(I)(M)             <---- Modify
							   

[#] Disclaimer: 
=============== 
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due 
credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the 
author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.



				    Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)