Home / exploits Telefonica O2 Connection Manager 3.4 Local Privilege Escalation
Posted on 10 October 2014
Telefonica O2 Connection Manager 3.4 Local Privilege Escalation Vulnerability Vendor: Telefonica S.A. Product web page: http://www.telefonica.com | http://www.o2.co.uk Affected version: 3.4.R1 (108) Summary: O2 Connection Manager will help you to manage your internet connections by getting you connected to the fastest available network. Automatically connect you to the fastest available network including your home broadband if you have a wireless router. Desc: O2 Connection Manager suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable files with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, making the entire directory 'O2 Connection Manager' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5199 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5199.php 22.09.2014 --- ========================================================================== Arguments Used: Filename = "C:Program Files (x86)O2CM-CEO2 Connection Manager" ************************************************************************** Directory: C:Program Files (x86)O2CM-CEO2 Connection Manager Permissions: Type Username Permissions Inheritance Allowed Everyone Full Control This Folder Only Allowed Everyone Special (Unknown) Files Only Allowed BUILTINAdministrators Special (DCBA654321) This Folder and Files Allowed NT SERVICETrustedInsta Full Control This Folder Only Allowed NT SERVICETrustedInsta Special (Unknown) Subfolders only Allowed NT AUTHORITYSYSTEM Full Control This Folder Only Allowed NT AUTHORITYSYSTEM Special (Unknown) Subfolders and Files Allowed BUILTINAdministrators Full Control This Folder Only Allowed BUILTINAdministrators Special (Unknown) Subfolders and Files Allowed BUILTINUsers Read and Execute This Folder Only Allowed BUILTINUsers Special (Unknown) Subfolders and Files Allowed CREATOR OWNER Special (Unknown) Subfolders and Files No Auditing set Owner: NT AUTHORITYSYSTEM ************************************************************************** Operation Complete Elapsed Time: 0,234375 seconds. ========================================================================== Arguments Used: Filename = "C:Program Files (x86)O2CM-CEO2 Connection Manager scui.exe" ************************************************************************** File: C:Program Files (x86)O2CM-CEO2 Connection Manager scui.exe Permissions: Type Username Permissions Inheritance Allowed Everyone Full Control This Folder Only Allowed BUILTINAdministrators Special (DCBA654321) This Folder Only Allowed NT AUTHORITYSYSTEM Full Control This Folder Only Allowed BUILTINAdministrators Full Control This Folder Only Allowed BUILTINUsers Read and Execute This Folder Only No Auditing set Owner: NT AUTHORITYSYSTEM ************************************************************************** Operation Complete Elapsed Time: 0,125 seconds. ========================================================================== C:Program Files (x86)O2CM-CEO2 Connection Manager>icacls *.exe |findstr "Everyone:(I)(F)" Elevate.exe Everyone:(I)(F) locSrch.exe Everyone:(I)(F) md5sum.exe Everyone:(I)(F) patch.exe Everyone:(I)(F) ProfileImp.exe Everyone:(I)(F) SupportAssistant.exe Everyone:(I)(F) tscui.exe Everyone:(I)(F) vcredist_x86.exe Everyone:(I)(F) WifiProfileImportTool.exe Everyone:(I)(F) XAU.exe Everyone:(I)(F) C:Program Files (x86)O2CM-CEO2 Connection Manager> ==========================================================================
