← Advisories

Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability

Medium
Advisory ID
ZSL-2010-4981
Release Date
20 November 2010
Vendor
Native Instruments GmbH - http://www.native-instruments.com
Affected Version
2.2.5 (R596)
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

The NI Service Center is a service used for Product Activation.

Description

The Native Instruments's Service Center suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the "C" flag (Change(write)) for "Everyone", for the installed files ServiceCenter.exe and Reloader.exe.

Proof of Concept
servicec_priv.txtTXT
Disclosure Timeline
06.11.2010Vulnerability discovered.
09.11.2010Contact with the vendor.
09.11.2010Vendor replies.
09.11.2010Explained to the vendor that we want to report a vulnerability.
09.11.2010Vendor answers in confusion.
09.11.2010Explained in details what this is all about.
10.11.2010Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
18.11.2010Nobody gets in touch with us.
19.11.2010Informed the vendor that the public disclosure will occur on 20th of November.
20.11.2010Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/15584
[2]http://packetstormsecurity.org/files/96018
[3]http://securityreason.com/exploitalert/9541
[4]http://www.securityfocus.com/bid/44997
[5]http://www.vfocus.net/art/20101122/8272.html
Changelog
20.11.2010Initial release
22.11.2010Added reference [1], [2], [3] and [4]
24.11.2010Added reference [5]