Millewin 13.39.028 Unquoted Service Path / Insecure Permissions

Millewin 13.39.028 Unquoted Service Path / Insecure Permissions

Millewin version 13.39.028 suffers from a local privilege escalation
issue due to insecure permission and unquoted service path
vulnerabilities.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

(1) Impacted executable on startup by regkey.
Any low privileged user can elevate their privileges abusing this scenario:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:  MilleLiveUpdate
Value data:  "C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe"


(2) Impacted services.
Any low privileged user can elevate their privileges abusing any of these (also unquoted) services:

Millewin, operazioni pianificate    MillewinTaskService         C:\Program Files (x86)\Millewin\GestioneTaskService.exe     Auto
PDS Server                          PDS Server                  C:\Program Files (x86)\Millewin\WatchDogService.exe         Auto

  Details:
  
NOME_SERVIZIO: Millewintaskservice
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\Millewin\GestioneTaskService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : Millewin, operazioni pianificate
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

NOME_SERVIZIO: PDSserver
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\Millewin\WatchDogService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : PDS Server
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem


(3) Folder permissions.
Insecure folders permissions issue:

C:\Program Files (x86)\Millewin 
                                BUILTIN\Users:(OI)(CI)(F)
                                Everyone:(OI)(CI)(F)
                                NT SERVICE\TrustedInstaller:(I)(F)
                                NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                NT AUTHORITY\SYSTEM:(I)(F)
                                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                BUILTIN\Administrators:(I)(F)
                                BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                BUILTIN\Users:(I)(RX)
                BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
                                                              GENERIC_READ
                                                              GENERIC_EXECUTE
                                ...[SNIP]...

C:\Program Files (x86)\Millewin\MilleUpdater 
                                             BUILTIN\Users:(OI)(CI)(ID)F
                       Everyone:(OI)(CI)(ID)F
                                             NT SERVICE\TrustedInstaller:(ID)F
                                             NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                             NT AUTHORITY\SYSTEM:(ID)F
                                             NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                             BUILTIN\Administrators:(ID)F
                                             BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                             BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
                                                                           GENERIC_READ
                                                                           GENERIC_EXECUTE
                                ...[SNIP]...