Millewin 13.39.146.1 – Local Privilege Escalation

• Exploit Database
• 21 阅读

• 作者： Andrea Intilangelo
  日期： 2021-02-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49530/

• # Exploit Title: Millewin 13.39.146.1 - Local Privilege Escalation
  # Date: 2021-02-07
  # Author: Andrea Intilangelo
  # Vendor Homepage: https://www.millewin.it
  # Software Homepage: https://www.millewin.it/index.php/prodotti/millewin 
  # Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe
  # Version: 13.39.028 – 146.1.9
  # Tested on: Microsoft Windows 10 Enterprise x64
  # CVE: CVE-2021-3394
  
  Millennium Millewin also known as "Cartella clinica"
  
  Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.
  
  Affected version: 13.39.028
  13.39.28.3342
  13.39.146.1
  -
  
  Summary (from online translator): 
  Millewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management
  of the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional
  innovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial
  station. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook.
  
  Vuln desc: 
  The application is prone to insecure permissions in its folders that allows unprivileged user complete control. An attacker can exploit the vulnerability by
  arbitrarily replacing file(s) invoked by service(s)/startup regkey impacted. File(s) will be executed with SYSTEM privileges. 
  
  The application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of
  Millewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task. 
  This allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take
  advantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot. If successful, the malicious file(s)
  would execute with the elevated privileges of the application.
  
  The application also suffers from unquoted service path issues.
  
  
  (1) Impacted executable on startup by regkey.
  Any low privileged user can elevate their privileges abusing this scenario:
  
  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Value name:	MilleLiveUpdate
  Value data:	"C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe"
  
  
  (2) Impacted services.
  Any low privileged user can elevate their privileges abusing any of these (also unquoted) services:
  
  Millewin, operazioni pianificateMillewinTaskService C:\Program Files (x86)\Millewin\GestioneTaskService.exe Auto
  PDS ServerPDS ServerC:\Program Files (x86)\Millewin\WatchDogService.exe Auto
  
  	Details:
  	
  NOME_SERVIZIO: Millewintaskservice
  TIPO: 10WIN32_OWN_PROCESS
  TIPO_AVVIO: 2 AUTO_START
  CONTROLLO_ERRORE: 1 NORMAL
  NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\GestioneTaskService.exe
  GRUPPO_ORDINE_CARICAMENTO :
  TAG : 0
  NOME_VISUALIZZATO : Millewin, operazioni pianificate
  DIPENDENZE:
  SERVICE_START_NAME : LocalSystem
  
  NOME_SERVIZIO: PDSserver
  TIPO: 10WIN32_OWN_PROCESS
  TIPO_AVVIO: 2 AUTO_START
  CONTROLLO_ERRORE: 1 NORMAL
  NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\WatchDogService.exe
  GRUPPO_ORDINE_CARICAMENTO :
  TAG : 0
  NOME_VISUALIZZATO : PDS Server
  DIPENDENZE:
  SERVICE_START_NAME : LocalSystem
  
  
  (3) Folder permissions.
  Insecure folders permissions issue:
  
  C:\Program Files (x86)\Millewin 
  BUILTIN\Users:(OI)(CI)(F)
  Everyone:(OI)(CI)(F)
  NT SERVICE\TrustedInstaller:(I)(F)
  NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  BUILTIN\Administrators:(I)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  BUILTIN\Users:(I)(RX)
  								BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
  GENERIC_READ
  GENERIC_EXECUTE
  ...[SNIP]...
  
  C:\Program Files (x86)\Millewin\MilleUpdater 
   BUILTIN\Users:(OI)(CI)(ID)F
  											 Everyone:(OI)(CI)(ID)F
   NT SERVICE\TrustedInstaller:(ID)F
   NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
   NT AUTHORITY\SYSTEM:(ID)F
   NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
   BUILTIN\Administrators:(ID)F
   BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
   BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
   GENERIC_READ
   GENERIC_EXECUTE
  ...[SNIP]...