Vendor | Samsung, www.samsung.com |
Affected Products | SW Update |
Affected Versions | <= 2.2.7.22 |
CVE ID | n/a |
OVE ID | OVE-20160530-0004 |
Severity | High |
Author | Benjamin Gnahm (@mitp0sh), Blue Frost Security GmbH |
I. Impact
If the SW Update software is installed on a Windows system, any authenticated user can escalate privileges to become the SYSTEM user by placing a crafted DLL file in the SW Update service directory and triggering or waiting for the next system reboot.
II. Technical Details
C:\>cacls "C:\Programdata\Samsung\SW Update Service" C:\Programdata\Samsung\SW Update Service NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R BUILTIN\Users:(CI)(ID)(special access:) FILE_WRITE_DATA FILE_APPEND_DATA FILE_WRITE_EA FILE_WRITE_ATTRIBUTES
When the service is started it tries to load several non-existing DLL files from the service directory such as MSIMG32.dll, UxTheme.dll or USERENV.dll.
III. Mitigation
To mitigate the issue the ACL on the service directory should be adjusted to prevent normal users from writing to this directory.
IV. Disclosure Timeline
2016-04-25 |
Contacted mobile.security@samsung.com and requested a security contact for consumer software |
2016-04-29 |
Samsung confirmed that the advisory was received and that it will be analyzed |
2016-05-27 | Requested status update |
2016-05-30 |
Samsung confirmed that issue "SI-6041" has been fixed starting with version 2.2.7.24 |
2016-05-30 | Requested CVE ID |
Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact research@bluefrostsecurity.de for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages.
Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of use apply.