Photo Nettoyeur version 1.4.5 suffers from an insecure file permission vulnerability.
36ee9a16fe6a0ef19dce0161048fb9bai>>?#--------------------------------------------------------#
#Exploit Title: Photo Nettoyeur 1.4.5 - Insecure File Permission
#Exploit Author : ZwX
#Exploit Date: 2018-09-28
#Vendor Homepage : http://www.marseillesoft.com/
#Link Software : http://www.marseillesoft.com/telecharger/
#Tested on OS: Windows 7 & Windows 10
#Social: twitter.com/ZwX2a
#contact: [email protected]
#Website: http://zwx-pentester.fr/
#--------------------------------------------------------#
Technical Details & Description:
================================
The Photo Nettoyeur suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user
that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full)'C' (Write change) 'M' (Modify) for 'Users' group.
This gives an authenticated attacker the ability to modify or overwrite any file in the directory
with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the systeme
Proof of Concept (PoC):
=======================
For security demonstration or to reproduce follow the provided information and steps below to continue.
C:\>cacls PhotoNettoyeur
C:\PhotoNettoyeur BUILTIN\Administrateurs:(ID)F <---- Full access
BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F
AUTORITE NT\SystA"me:(ID)F
AUTORITE NT\SystA"me:(OI)(CI)(IO)(ID)F
BUILTIN\Utilisateurs:(OI)(CI)(ID)R
AUTORITE NT\Utilisateurs authentifiA(c)s:(ID)C
AUTORITE NT\Utilisateurs authentifiA(c)s:(OI)(CI)(IO)(ID)C <---- Edit
C:\PhotoNettoyeur>cacls PhotoNettoyeur.exe
PhotoNettoyeur.exe BUILTIN\Administrateurs:(ID)F <---- Full access
AUTORITE NT\SystA"me:(ID)F
BUILTIN\Utilisateurs:(ID)R
AUTORITE NT\Utilisateurs authentifiA(c)s:(ID)C <---- Edit
C:\>icacls PhotoNettoyeur
PhotoNettoyeur BUILTIN\Administrateurs:(I)(F) <---- Full access
BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F)
AUTORITE NT\SystA"me:(I)(F)
AUTORITE NT\SystA"me:(I)(OI)(CI)(IO)(F)
BUILTIN\Utilisateurs:(I)(OI)(CI)(RX)
AUTORITE NT\Utilisateurs authentifiA(c)s:(I)(M)
AUTORITE NT\Utilisateurs authentifiA(c)s:(I)(OI)(CI)(IO)(M) <---- Modify
C:\PhotoNettoyeur>icacls PhotoNettoyeur.exe
PhotoNettoyeur.exe BUILTIN\Administrateurs:(I)(F) <---- Full access
AUTORITE NT\SystA"me:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
AUTORITE NT\Utilisateurs authentifiA(c)s:(I)(M) <---- Modify
[#] Disclaimer:
===============
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the
author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)