← Advisories

F-Secure BlackLight 2.2.1092 Local Privilege Escalation Vulnerability

Low
Advisory ID
ZSL-2011-5038
Release Date
14 August 2011
Vendor
F-Secure Corporation - http://www.f-secure.com
Affected Version
2.2.1092
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN)
Summary

F-Secure BlackLight is a tool that detects files, folders and processes hidden from the user and other programs. BlackLight is also able to remove hidden malware by renaming them.

Description

The rootkit eliminator is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (change/write) for the 'Everyone' group, for the 'fsbl.exe' binary file.

Proof of Concept
fsecure_pe.txtTXT
Disclosure Timeline
10.08.2011Vulnerability discovered.
10.08.2011Initial contact with the vendor with sent details.
10.08.2011Auto-reply from vendor that message is received.
13.08.2011No reply from vendor.
14.08.2011Public advisory released.
23.08.2011After cooperating with the vendor and detailed analysis it is concluded that the vulnerability is void.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.org/files/104021
[2]http://www.securityfocus.com/bid/49159
[3]http://securityreason.com/exploitalert/10733
[4]http://www.vfocus.net/art/20110817/9344.html
Changelog
14.08.2011Initial release
16.08.2011Added reference [1], [2] and [3]
18.08.2011Added reference [4]
23.08.2011Added vendor status