[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

League of Legends Screensaver - Unquoted Service Path Privilege Escalation

Author
Vincent Yiu
Risk
[
Security Risk High
]
0day-ID
0day-ID-25594
Category
local exploits
Date add
07-06-2016
Platform
windows
# Exploit Title: League of Legends Screensaver Unquoted Service Paths
Conditional Privilege Escalation.
# CVE-ID: NA
# Date: 13/04/2016
# Exploit Author: Vincent Yiu
# Contact: vysec.private@gmail.com
# Vendor Homepage: http://www.leagueoflegends.com
# Software Link: screensaver.euw.leagueoflegends.com/en_US
# Version: MD5 Hash: 0C1B02079CA8BF850D59DD870BC09963
# Tested on: Windows 7 Professional x64 fully updated.
 
1. Description:
 
The League of Legends installer would install the League of Legends
screensaver along with a service. The service would be called
'lolscreensaver'. This particular service was misconfigured such that
the service binary path was unquoted. When the screensaver is
installed to 'C:\Riot Games', the issue is not exploitable. However,
during the installation process, users are able to specify a directory
to install to. When a user chooses to install this to say an external
drive, this becomes exploitable.
 
This was reported to Riot Games and has been rectified in the latest version.
 
2. Proof
http://i.imgur.com/S2fuUKa.png
 
 
3. Exploit:
 
Simply run 'sc qc lolscreensaver' and check for unquoted service path.
If the path is unquoted, then check the permissions of each directory
using space as a token.
 
Eg. D:\My Games\Hidden Files\Super Secure\Riot Games\service\service.exe
 
Do icacls on D:\, 'D:\My Games\', 'D:\My Games\Hidden Files\', 'D:\My
Games\Hidden Files\Super Secure\'. If you are able to write files to
any of these directories, it is exploitable.
 
If 'D:\My Games\' is writable, to exploit this issue, place a binary
to run as SYSTEM into the folder and named as 'Hidden.exe".

#  0day.today [2024-12-25]  #