APC UPS Daemon 3.14.14 Privilege Escalation

APC UPS Daemon versions 3.14.14 and below suffer from a privilege escalation vulnerability.

MD5 | 41553c4b9318748158dd4aa8ecbaf4b5

[+] Credits: fragsh3ll aka Richard Young
[+] Contact: https://twitter.com/fragsh3ll


APC UPS Daemon <= 3.14.14

Vulnerability Type
Privilege Escalation

Vendor Description
Apcupsd can be used for power mangement and controlling most of APCas UPS
models on Unix and Windows machines. Apcupsd works with most of APCas
Smart-UPS models as well as most simple signalling models such a Back-UPS,
and BackUPS-Office. During a power failure, apcupsd will inform the users
about the power failure and that a shutdown may occur. If power is not
restored, a system shutdown will follow when the battery is exhausted, a
timeout (seconds) expires, or runtime expires based on internal APC
calculations determined by power consumption rates. Apcupsd is licensed
under the GPL version 2.

CVE Reference

Vulnerability Details
The default installation of APCUPSD allows a local unprivileged user to run
arbitrary code with elevated privileges by replacing the service executable
apcupsd.exe with a malicious executable, which will run with SYSTEM
privileges at startup.

RW BUILTIN\Administrators
RW NT AUTHORITY\Authenticated Users

1) Install the application with default settings.

2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe
with an executable of your choice.

3) Restart the service or computer, the executable will run.

Disclosure Timeline:
4/17/17 - Vendor notified
4/17/17 - Vendor acknowledged
5/6/17 - Vendor still working
6/5/17 - No response
6/14/17 - No response
6/15/17 - Public disclosure

Related Posts