OK…honestly… I promise (!)… this is the last advisory about the ProShow Producer application, but also the most dangerous one with a CVSS Score of 7,2 and exploitable on at least all english Microsoft Windows based operating systems!

The facts ?

Quoted from my published advisory:

Sounds painful…and there’s currently no painkiller (patch) available.

The pain ?

By default the application installs a service called “ScsiAccess” running under the local SYSTEM account, which requires a reboot upon installation.

ia49-2

The file permissions of the scsiaccess.exe file which belongs to the service are weak:

ia49-1

Everyone: (I)(F) means  Inherited Full Access.

The payload ?

Metasploit. Let’s create a reverse meterpreter shell scsiaccess.exe:

ia49-3

The attack ?

This requires the attacker to already have access to the victim system. The attacker is able to replace (rename and copy new file) the scsiaccess.exe, which makes it easy to escalate the privileges here since Windows allows you to do so :-). All you need is to prepare a meterpreter handler which will catch the connection from the hijacked service …and after a simple system restart (or service restart):

ia49-4

The loot  ?

Pure Metasploit magic:

ia49-5

Migration of the meterpreter process is the solution to prevent the Windows service timeout to close the injected scsiaccess.exe. Now you’re SYSTEM on Windows 8 Enterprise. It feels like being root – somehow…but…no…it’s still not the same 😉 🙂

Photodex ProShow Producer Vulnerability #6: ScsiAccess Local Privilege Escalation
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.