BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
BID:13408
Info
BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
| Bugtraq ID: | 13408 |
| Class: | Design Error |
| CVE: |
CVE-2005-1372 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 27 2005 12:00AM |
| Updated: | Jul 12 2009 02:06PM |
| Credit: | Reed Arvin <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
BakBone NetVault 7.3 BakBone NetVault 7.1.1 BakBone NetVault 7.1 BakBone NetVault 7.0 |
| Not Vulnerable: |
BakBone NetVault 7.3.1 BakBone NetVault 7.1.3 BakBone NetVault 7.1.2 |
Discussion
BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
BakBone NetVault is affected by a local privilege escalation vulnerability. A local user can manipulate 'nvstatsmngr.exe' to escalate privileges to that of the LocalSystem account.
An attacker can exploit this vulnerability to gain SYSTEM level privileges on an affected computer.
NetVault versions prior to 7.1.2/3 and 7.3.1 are vulnerable.
BakBone NetVault is affected by a local privilege escalation vulnerability. A local user can manipulate 'nvstatsmngr.exe' to escalate privileges to that of the LocalSystem account.
An attacker can exploit this vulnerability to gain SYSTEM level privileges on an affected computer.
NetVault versions prior to 7.1.2/3 and 7.3.1 are vulnerable.
Exploit / POC
BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
Proceeding through the following steps will result in a command prompt running with SYSTEM level privileges:
1. Utilize the exploit to get the C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe
window to appear. Access the window menu in the upper left and click
Properties.
2. Right click on the word Window under the Display Options and click
What's This?
3. Right click on the help text that is shown in yellow and click Print Topic.
4. Right click on any printer and click Open.
5. Click Help, Help Topics.
6. Right click in the right side of the help screen and click View Source.
7. Notepad will appear (running under the context of the LocalSystem
account). Click File, click Open.
8. Change Files of type: to All Files, navigate to the system32
directory and locate cmd.exe. Right click cmd.exe and choose Open.
The following exploit will unhide the 'nvstatsmngr.exe' service window:
Proceeding through the following steps will result in a command prompt running with SYSTEM level privileges:
1. Utilize the exploit to get the C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe
window to appear. Access the window menu in the upper left and click
Properties.
2. Right click on the word Window under the Display Options and click
What's This?
3. Right click on the help text that is shown in yellow and click Print Topic.
4. Right click on any printer and click Open.
5. Click Help, Help Topics.
6. Right click in the right side of the help screen and click View Source.
7. Notepad will appear (running under the context of the LocalSystem
account). Click File, click Open.
8. Change Files of type: to All Files, navigate to the system32
directory and locate cmd.exe. Right click cmd.exe and choose Open.
The following exploit will unhide the 'nvstatsmngr.exe' service window:
Solution / Fix
BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
Solution:
The vendor has released upgrades to address this issue. Please contact the vendor to obtain fixes.
Solution:
The vendor has released upgrades to address this issue. Please contact the vendor to obtain fixes.
References
BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
References:
References:
- BakBone Home Page (BakBone)
- NetVault 7.1.2 Release Notes (BakBone)
- NetVault 7.1.3 Release Notes (BakBone)
- NetVault 7.3.1 Release Notes (BakBone)
- Privilege escalation in BakBone NetVault 7.1 (Reed Arvin