[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] SUPERAntiSpyware Professional X Trial < 10.0.1206 Local Privilege Escalation
From: b1nary <thebinary0x1 () gmail ! com>
Date: 2020-08-26 10:43:30
Message-ID: CAMB3VmSw=VEW4eJJdA7m5M=s8d5v3uy2NkF=Ca+wXW-2BOATkQ () mail ! gmail ! com
[Download RAW message or body]
# Vulnerability Description
SUPERAntiSpyware Professional X Trial versions prior to 10.0.1206 are
vulnerable to local privilege escalation because it allows unprivileged
users to restore quarantined files to a privileged location through a NTFS
directory junction.
# Home Page
https://www.superantispyware.com/
# Author: b1nary
# Proof of Concept
1. Place a dll payload in an empty folder
2. Scan the payload with the SUPERAntiSpyware Professional X Trial in
order to get it detected.
3. Once it is detected and moved to quarantine, create a NTFS directory
junction.
4. Restore the payload and reboot the system.
Full PoC video: https://www.youtube.com/watch?v=jdcqbev-H5I
# Timeline
- 16-07-2020 - Vulnerability discovered
- 16-07-2020 - Notified the vendor via support form (vendor did not
response)
- 19-07-2020 - Notified the vendor via email (vendor did not response)
- 25-07-2020 - Vulnerability report to CERT/CC (VRF#20-07-GBPVY)
- 25-08-2020 - Vulnerability Disclosed
# References
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic