|
|
|
Credit:
The information has been provided by https://www.htbridge.com/advisory/HTB23108.
|
|
Vulnerable Systems:
* Windows Vista
* Windows Server 2008
* Windows 7
* Windows 8 RP
The IKE and AuthIP IPsec Keying Modules service tries to loads the wlbsctrl.dll library which is missing. This forces Microsoft Windows to use search PATH procedure to locate the missing dynamic-link file in the following order described by Microsoft - http://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx
- The directory from which the application loaded
- The system directory
- The 16-bit system directory
- The Windows directory
- The current directory
- The directories that are listed in the PATH environment variable
When directory is created in the C:\ root folder, access permissions for files and subfolders are inherited from the parent directory. By default members of the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA privileges to all directories created within the C:\ root folder. This also applies to folders created by application's installer. The vulnerability is introduced to the system when software does not change default permissions to installation directory and adds its installation path to the PATH system environment variable. Any member of the Authenticated users group can place malicious file named wlbsctrl.dll into that folder and execute arbitrary code on the system after simple reboot.
CVE Information:
CVE-2012-5377
Disclosure Timeline:
Publish Date : 2012-10-11
Last Update Date : 2012-10-12
|
|
|
|