← Advisories

BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability

Medium
Advisory ID
ZSL-2014-5217
Release Date
23 December 2014
Vendor
BitRaider, LLC - http://www.bitraider.com
Affected Version
1.3.3.4098
CVE
N/A
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Summary

BitRaider is a video game streaming and download service.

Description

BitRaider contains a flaw that leads to unauthorized privileges being gained. The issue is due to the program granting improper permissions with the 'F' flag for the 'Users' group, which makes the entire 'BitRaider' directory and its sub directories and files world-writable. This may allow a local attacker to change an executable file with a binary file and gain elevated privileges.

Proof of Concept
bitraider_priv.txtTXT
Disclosure Timeline
17.12.2014Vulnerability discovered.
18.12.2014Vendor contacted.
22.12.2014No reply from the vendor.
23.12.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.swtor.com
[2]http://cxsecurity.com/issue/WLB-2014120163
[3]http://www.exploit-db.com/exploits/35590/
[4]http://packetstormsecurity.com/files/129703
[5]http://osvdb.org/show/osvdb/116244
[6]https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99586
Changelog
23.12.2014Initial release
24.12.2014Added reference [5]
13.03.2015Added reference [6]