[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] APC UPS Daemon <= 3.14.14 Local Privilege Escalation

[+] Credits: fragsh3ll aka Richard Young
[+] Contact: https://twitter.com/fragsh3ll


APC UPS Daemon <= 3.14.14

Vulnerability Type
Privilege Escalation

Vendor Description
Apcupsd can be used for power mangement and controlling most of APC’s UPS
models on Unix and Windows machines. Apcupsd works with most of APC’s
Smart-UPS models as well as most simple signalling models such a Back-UPS,
and BackUPS-Office. During a power failure, apcupsd will inform the users
about the power failure and that a shutdown may occur. If power is not
restored, a system shutdown will follow when the battery is exhausted, a
timeout (seconds) expires, or runtime expires based on internal APC
calculations determined by power consumption rates. Apcupsd is licensed
under the GPL version 2.

CVE Reference

Vulnerability Details
The default installation of APCUPSD allows a local unprivileged user to run
arbitrary code with elevated privileges by replacing the service executable
apcupsd.exe with a malicious executable, which will run with SYSTEM
privileges at startup.

  RW BUILTIN\Administrators
  RW NT AUTHORITY\Authenticated Users

1) Install the application with default settings.

2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe
with an executable of your choice.

3) Restart the service or computer, the executable will run.

Disclosure Timeline:
4/17/17 - Vendor notified
4/17/17 - Vendor acknowledged
5/6/17 - Vendor still working
6/5/17 - No response
6/14/17 - No response
6/15/17 - Public disclosure

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/