Full title: NO-IP DUC v4.1.1 Unquoted Service Path Privilege Escalation Exploit Category: local exploits Platform: windows Exploit Title : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation' PDF Version : 4.1.1 vuln Discover : Ehsan Hosseini Module Author : pedr0 Ubuntu [r00t-3xp10it] Tested on : Windows 7 Professional Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe [ DESCRIPTION ] NO-IP DUC v4.1.1 installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. --------------------------------------------------------------------------- C:\>sc qc NoIPDUCService4 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NoIPDUCService4 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\No-IP\ducservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NO-IP DUC v4.1.1 DEPENDENCIES : SERVICE_START_NAME : LocalSystem --------------------------------------------------------------------------- Using the BINARY_PATH_NAME listed above as an example, an executable named "Program.exe" could be placed in "C:\", and it would be executed as the Local System user next time the service was restarted. # 0day.today @ http://0day.today/