F-Secure BlackLight 2.2.1092 Local Privilege Escalation Vulnerability


Vendor: F-Secure Corporation
Product web page: http://www.f-secure.com
                  http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/blacklight/
Affected version: 2.2.1092

Summary: F-Secure BlackLight is a tool that detects files, folders and
processes hidden from the user and other programs. BlackLight is also
able to remove hidden malware by renaming them.

Desc: The rootkit eliminator is vulnerable to an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable file with a binary of choice. The vulnerability exist due to
the improper permissions, with the 'C' flag (change/write) for the 'Everyone'
group, for the 'fsbl.exe' binary file.

Tested on: Microsoft Windows XP Professional SP3 (EN)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2011-5038
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php


10.08.2011

--


C:\>cacls fsbl.exe
C:\fsbl.exe BUILTIN\Administrators:F
            Everyone:C
            LABPC\User4:F
            NT AUTHORITY\SYSTEM:F

C:\>