|Affected Products||SW Update|
|Affected Versions||<= 220.127.116.11|
|Author||Benjamin Gnahm (@mitp0sh), Blue Frost Security GmbH|
If the SW Update software is installed on a Windows system, any authenticated user can escalate privileges to become the SYSTEM user by placing a crafted DLL file in the SW Update service directory and triggering or waiting for the next system reboot.
II. Technical Details
C:\>cacls "C:\Programdata\Samsung\SW Update Service" C:\Programdata\Samsung\SW Update Service NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R BUILTIN\Users:(CI)(ID)(special access:) FILE_WRITE_DATA FILE_APPEND_DATA FILE_WRITE_EA FILE_WRITE_ATTRIBUTES
When the service is started it tries to load several non-existing DLL files from the service directory such as MSIMG32.dll, UxTheme.dll or USERENV.dll.
To mitigate the issue the ACL on the service directory should be adjusted to prevent normal users from writing to this directory.
IV. Disclosure Timeline
Contacted firstname.lastname@example.org and requested a security contact for consumer software
Samsung confirmed that the advisory was received and that it will be analyzed
|2016-05-27||Requested status update|
Samsung confirmed that issue "SI-6041" has been fixed starting with version 18.104.22.168
|2016-05-30||Requested CVE ID|
Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact email@example.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages.