This page will be updated to include any zero days I’ve been lucky enough to stumble upon.
Liebert MultiLink Automated Shutdown v4.2.4 – Privilege Escalation
November 2015
This is another insecure service binary vulnerability. After installing the software (used for the remote configuration of UPS settings and graceful shutdowns), the SYSTEM run service ‘LiebertM’ is installed. This points to a binary with weak permissions, allowing a low privilege account the ability to replace the binary and execute arbitrary code as SYSTEM.
After unsuccessfully attempting to contact the vendor on 28th July 2015 and CERT’s unsuccessful attempts thereafter, there is currently no known plan for a fix.
If you use this software, please check here for any future updates the vendor may provide.
########################################################
Proxycap v5.27 – Privilege Escalation Vulnerability
November 2015
When Proxycap v5.27 is installed in a non-default location (i.e. not C:\Program Files\Proxy Labs\ProxyCap\ or C:\Program Files (x86)\Proxy Labs\ProxyCap\ ), the “Authenticated Users” group has modify access to the executable file the service (pcapsvc) points to, resulting in the ability for a low privilege user to execute arbitrary code on the operating system. A low privilege account can therefore replace this binary to execute arbitrary code as SYSTEM.
Proxy Labs have now released v5.28 which remediates the issue and can be found here.
########################################################
EPSON Network Utility – Privilege Escalation
October 2015
I found that the SYSTEM run service installed with the Epson Network Utility v4.10 software points to a binary with weak permissions. A low privilege account can replace this binary to execute arbitrary code as SYSTEM.
Further information and details of fix:
Stealthsploit 