SOYAL 701 Client 9.0.1 – Insecure Permissions

• Exploit Database
• 16 阅读

• 作者： LiquidWorm
  日期： 2021-03-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49679/

• # Exploit Title: SOYAL 701 Client 9.0.1 - Insecure Permissions
  # Date: 25.01.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
  
  Vendor: SOYAL Technology Co., Ltd
  Product web page: https://www.soyal.com.tw | https://www.soyal.com
  Affected version: 9.0.1 190410
  9.0.1 190115
  
  Summary: 701 Client is the user interface software for the access control
  system. It is used for adding and deleting tokens, setting door groups
  for access, setting time zones for limiting access and monitoring ingress
  and egress on a live system, among other things.
  
  Desc: The application suffers from an elevation of privileges vulnerability
  which can be used by a simple authenticated user that can change the
  executable file with a binary of choice. The vulnerability exist due
  to the improper permissions, with the 'F' flag (Full) for 'Authenticated Users'
  group.
  
  Tested on: Microsoft Windows 10 Enterprise
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5634
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5634.php
  
  
  25.01.2021
  
  --
  
  
  C:\Program Files (x86)\701Client>cacls client.exe
  C:\Program Files (x86)\701Client\client.exe NT AUTHORITY\Authenticated Users:F
  NT AUTHORITY\Authenticated Users:(ID)F
  NT AUTHORITY\SYSTEM:(ID)F
  BUILTIN\Administrators:(ID)F
  BUILTIN\Users:(ID)R
  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
  
  
  C:\Program Files (x86)\701Client>