It was found that Ivanti Workspace Control allows a local (unprivileged) attacker to run arbitrary commands with Administrator privileges. This issue can be exploited by spawning a new Composer process, injecting a malicious thread in this process. This thread connects to a Named Pipe and sends an instruction to a service to launch an attacker-defined application with elevated privileges. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.
7ee90d03763dd9d1bf3d0ff765a7bab3------------------------------------------------------------------------
Ivanti Workspace Control local privilege escalation via Named Pipe
------------------------------------------------------------------------
Yorick Koster, August 2018
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that Ivanti Workspace Control allows a local (unprivileged)
attacker to run arbitrary commands with Administrator privileges. This
issue can be exploited by spawning a new Composer process, injecting a
malicious thread in this process. This thread connects to a Named Pipe
and sends an instruction to a service to launch an attacker-defined
application with elevated privileges.
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.700.1 & 10.2.950.0.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was resolved in Ivanti Workspace Control version 10.3.10.0.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180802/ivanti-workspace-control-local-privilege-escalation-via-named-pipe.html