Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability

Title: Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability
Advisory ID: ZSL-2010-4981
Type: Local
Impact: Privilege Escalation
Risk: (3/5)
Release Date: 20.11.2010
Summary
The NI Service Center is a service used for Product Activation.
Description
The Native Instruments's Service Center suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the "C" flag (Change(write)) for "Everyone", for the installed files ServiceCenter.exe and Reloader.exe.
Vendor
Native Instruments GmbH - http://www.native-instruments.com
Affected Version
2.2.5 (R596)
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[06.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
PoC
servicec_priv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/15584
[2] http://packetstormsecurity.org/files/96018
[3] http://securityreason.com/exploitalert/9541
[4] http://www.securityfocus.com/bid/44997
[5] http://www.vfocus.net/art/20101122/8272.html
Changelog
[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2], [3] and [4]
[24.11.2010] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk