SolarWinds Kiwi Syslog Server 9.5.1 – Unquoted Service Path Privilege Escalation

• Exploit Database
• 21 阅读

• 作者： Halil Dalabasmaz
  日期： 2016-09-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40393/

• Document Title:
  ================
  SolarWinds Kiwi Syslog Server Unquoted Service Path Privilege Escalation Vulnerability
  
  Author:
  ========
  Halil Dalabasmaz
  
  Release Date:
  ==============
  29 SEP 2016
  
  Product & Service Introduction:
  ================================
  Kiwi Syslog® Server is an affordable, easy-to-use syslog server for IT
  administrators and network teams. Easy to set up and configure, Kiwi Syslog
  Server receives, logs, displays, alerts on, and forwards syslog, SNMP trap,
  and Windows® event log messages from routers, switches, firewalls, Linux®
  and UNIX® hosts, and Windows® machines.
  
  Kiwi Syslog Server also includes log archive management features that allow
  you to maintain compliance by securing, compressing, moving, and purging logs
  exactly as specified in your log retention policy.
   
  Vendor Homepage:
  =================
  http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx
  
  Vulnerability Information:
  ===========================
  The application can be install on Windows system as a service by default service
  installation selected. The application a 32-bit application and the default
  installation path is "C:\Program Files (x86)" on Windows systems. This could
  potentially allow an authorized but non-privileged local user to execute arbitrary
  code with elevated privileges on the system. The application work on "Local System"
  privileges. A successful attempt would require the local user to be able to insert
  their code in the system root path undetected by the OS or other security applications
  where it could potentially be executed during application startup or reboot.
  
  C:\Windows\system32>sc qc "Kiwi Syslog Server"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: Kiwi Syslog Server
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : Kiwi Syslog Server
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  
  Vulnerability Disclosure Timeline:
  =========================
  13 AUG 2016 - Contact With Vendor
  15 AUG 2016 - Vendor Response
  15 SEP 2016 - No Response From Vendor
  19 SEP 2016 - Public Disclosure
   
  Discovery Status:
  ==================
  Published
   
  Affected Product(s):
  =====================
  SolarWinds Kiwi Syslog Server 9.5.1
   
  Tested On:
  ===========
  Windows 7 Ultimate 64-Bit SP1 (EN)
   
  Disclaimer & Information:
  ==========================
  The information provided in this advisory is provided as it is without 
  any warranty. BGA disclaims allwarranties, either expressed or implied,
  including the warranties of merchantability and capability for a particular
  purpose. BGA or its suppliers are not liable in any case of damage, including
  direct, indirect, incidental, consequential loss of business profits or
  special damages.
  
  Domain: www.bgasecurity.com
  Social: twitter.com/bgasecurity
  Contact:advisory@bga.com.tr
  
  Copyright © 2016 | BGA Security LLC