Allock Video to Ipod converter – Insecure File Permissions/Privilege Escalation

Insecure File Permissions vulnerability has been discovered in the official Allock Video to Ipod converter v6.2.1217 software. The vulnerability exists due to insecure default permissions set on the Allok Video to ‘iPod Converter.exe’ and ‘avep.exe’ or ‘unins000.exe’. A local attacker could exploit this vulnerability by replacing ‘iPod Converter.exe’ and ‘avep.exe’ or ‘unins000.exe’ with a malicious executable file. The malicious file could execute or modify with the LocalSystem permissions.

Product & Service Introduction:
===============================

Allok 3GP PSP MP4 iPod Video Converter contains Video to 3GP Converter, Video to PSP Converter, Video to PS3 Converter, Video to MP4 Converter, Video to iPod Converter, Video to Zune Converter, Video to Xbox Converter. It is a AVI/3GP/MP4 file conversion for your portable media player (MP4 player), iPod, Apple TV, PSP, PS3, Zune, Xbox360, Archos, Cellular Phone, Pocket PC, Palm etc .Integrated world class MPEG4/H264 encoder brings you amazing video quality with super fast conversion speed.

(Copy of the Vendor Homepage: http://www.alloksoft.com/)

Date of Discovery:
==================
2018-08-09

Exploitation Technique:
=======================

Local

Platfom Tested:
===============

Windows 7

Solution – Fix & Patch:
=======================

Include multiple integrity checks for the software files on startup and during the static runtime.
Change the access permissions for the process of all three executables files (‘iPod Converter.exe’ and ‘avep.exe’ or ‘unins000.exe’).

Levles Risk :

Proof of Concept (PoC):
=======================

Allock Video to Ipod converter for Windows contains a vulnerability that could allow a local attacker to gain elevated privileges.

-- PoC Session Logs (Permissions) --
C:\Program Files\Allok Video to iPod Converter>icacls *.exe
Allok Video to iPod Converter.exe Tout le monde:(I)(F)      <- permissions 
                                  AUTORITE NT\Système:(I)(F)
                                  BUILTIN\Administrateurs:(I)(F)
                                  BUILTIN\Utilisateurs:(I)(RX)

avep.exe Tout le monde:(I)(F)      <- permissions 
         AUTORITE NT\Système:(I)(F)
         BUILTIN\Administrateurs:(I)(F)
         BUILTIN\Utilisateurs:(I)(RX)

unins000.exe Tout le monde:(I)(F)      <- permissions 
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

3 fichiers correctement traités ; échec du traitement de 0 fichiers

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*