Photo Nettoyeur 1.4.5 – Insecure File Permission

The Photo Nettoyeur suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (Full)’C’ (Write change) ‘M’ (Modify) for ‘Users’ group. This gives an authenticated attacker the ability to modify or overwrite any file in the directory with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the systeme.

Date of Discovery:


Exploitation Technique:


Platfom Tested:

Windows 7 & 10

Levels Risk :

Proof of Concept (PoC):

For security demonstration or to reproduce follow the provided information and steps below to continue.

C:\>cacls PhotoNettoyeur
C:\PhotoNettoyeur BUILTIN\Administrateurs:(ID)F                             <---- Full access
                  AUTORITE NT\Système:(ID)F
                  AUTORITE NT\Système:(OI)(CI)(IO)(ID)F
                  AUTORITE NT\Utilisateurs authentifiés:(ID)C
                  AUTORITE NT\Utilisateurs authentifiés:(OI)(CI)(IO)(ID)C   <---- Edit
C:\PhotoNettoyeur>cacls PhotoNettoyeur.exe
PhotoNettoyeur.exe BUILTIN\Administrateurs:(ID)F                            <---- Full access
                   AUTORITE NT\Système:(ID)F
                   AUTORITE NT\Utilisateurs authentifiés:(ID)C              <---- Edit

C:\>icacls PhotoNettoyeur
PhotoNettoyeur BUILTIN\Administrateurs:(I)(F)                               <---- Full access
               AUTORITE NT\Système:(I)(F)
               AUTORITE NT\Système:(I)(OI)(CI)(IO)(F)
               AUTORITE NT\Utilisateurs authentifiés:(I)(M)
               AUTORITE NT\Utilisateurs authentifiés:(I)(OI)(CI)(IO)(M)     <---- Modify

C:\PhotoNettoyeur>icacls PhotoNettoyeur.exe
PhotoNettoyeur.exe BUILTIN\Administrateurs:(I)(F)                           <---- Full access
                   AUTORITE NT\Système:(I)(F)
                   AUTORITE NT\Utilisateurs authentifiés:(I)(M)             <---- Modify

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.