Telefonica O2 Connection Manager 3.4 Local Privilege Escalation Vulnerability Vendor: Telefonica S.A. Product web page: http://www.telefonica.com | http://www.o2.co.uk Affected version: 3.4.R1 (108) Summary: O2 Connection Manager will help you to manage your internet connections by getting you connected to the fastest available network. Automatically connect you to the fastest available network including your home broadband if you have a wireless router. Desc: O2 Connection Manager suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable files with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, making the entire directory 'O2 Connection Manager' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5199 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5199.php 22.09.2014 --- ========================================================================== Arguments Used: Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager" ************************************************************************** Directory: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed \Everyone Special (Unknown) Files Only Allowed BUILTIN\Administrators Special (DCBA654321) This Folder and Files Allowed NT SERVICE\TrustedInsta Full Control This Folder Only Allowed NT SERVICE\TrustedInsta Special (Unknown) Subfolders only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and Files Allowed BUILTIN\Administrators Full Control This Folder Only Allowed BUILTIN\Administrators Special (Unknown) Subfolders and Files Allowed BUILTIN\Users Read and Execute This Folder Only Allowed BUILTIN\Users Special (Unknown) Subfolders and Files Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files No Auditing set Owner: NT AUTHORITY\SYSTEM ************************************************************************** Operation Complete Elapsed Time: 0,234375 seconds. ========================================================================== Arguments Used: Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe" ************************************************************************** File: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Administrators Special (DCBA654321) This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only Allowed BUILTIN\Users Read and Execute This Folder Only No Auditing set Owner: NT AUTHORITY\SYSTEM ************************************************************************** Operation Complete Elapsed Time: 0,125 seconds. ========================================================================== C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>icacls *.exe |findstr "Everyone:(I)(F)" Elevate.exe Everyone:(I)(F) locSrch.exe Everyone:(I)(F) md5sum.exe Everyone:(I)(F) patch.exe Everyone:(I)(F) ProfileImp.exe Everyone:(I)(F) SupportAssistant.exe Everyone:(I)(F) tscui.exe Everyone:(I)(F) vcredist_x86.exe Everyone:(I)(F) WifiProfileImportTool.exe Everyone:(I)(F) XAU.exe Everyone:(I)(F) C:\Program Files (x86)\O2CM-CE\O2 Connection Manager> ========================================================================== # Iranian Exploit DataBase = http://IeDb.Ir [2014-10-13]