← Advisories

Spybot Search & Destroy 1.6.2 Security Center Service Privilege Escalation

Low
Advisory ID
ZSL-2015-5237
Release Date
16 March 2015
Vendor
Safer-Networking Ltd. - http://www.safer-networking.org
Affected Version
1.6.2
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Summary

Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows 95 and later. It scans the computer hard disk and/or RAM for malicious software.

Description

The application suffers from an unquoted search path issue impacting the service 'SBSDWSCService' for Windows deployed as part of Spybot S&D. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.

Proof of Concept
spybot_eop.txtTXT
Disclosure Timeline
17.02.2015Vulnerability discovered and vendor notified.
02.03.2015Vendor confirmed the issue WSC service.
02.03.2015Vendor contacted about timeline for disclosure and patching.
14.03.2015No response from the vendor.
15.03.2015Vendor contacted again about timeline for disclosure and patching.
16.03.2015No response from the vendor.
16.03.2015Public security advisory released.
Credits
Vulnerability discovered by Aljaz Ceru
References
[1]http://www.exploit-db.com/exploits/36417/
[2]http://cxsecurity.com/issue/WLB-2015030109
[3]http://osvdb.org/show/osvdb/119625
[4]http://packetstormsecurity.com/files/130866
[5]https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101748
Changelog
16.03.2015Initial release
17.03.2015Added reference [1] and [2]
18.03.2015Added reference [3] and [4]
01.04.2015Added reference [5]