Security
Headlines
HeadlinesLatestCVEs

Headline

File Replication Pro 7.5.0 Insecure Permissions / Privilege Escalation

File Replication Pro version 7.5.0 suffers from having insecure directory permissions that can allow a local attacker the ability to escalate privileges.

Packet Storm
Open in Source
#vulnerability#web#windows#auth
# Exploit Title: File Replication Pro 7.5.0 - Password disclosure/reset & PrivEsc due Incorrect Access Control# Date: 2023-04-13# Exploit Author: Andrea Intilangelo# Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com# Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe# Version: 7.5.0# Tested on: Windows 10 Pro 22H2 x64# CVE: CVE-2023-26918Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation byreplacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application.C:\Program Files>icacls "c:\Program Files\FileReplicationPro"c:\Program Files\FileReplicationPro Everyone:(F)                                    Everyone:(OI)(CI)(IO)(F)C:\Users\Administrator>sc qc frp[SC] QueryServiceConfig OPERAZIONI RIUSCITENOME_SERVIZIO: frp        TIPO                      : 10  WIN32_OWN_PROCESS        TIPO_AVVIO                : 2   AUTO_START        CONTROLLO_ERRORE          : 1   NORMAL        NOME_PERCORSO_BINARIO     : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp        GRUPPO_ORDINE_CARICAMENTO :        TAG                       : 0        NOME_VISUALIZZATO         : FRPReplicationServer        DIPENDENZE                : Tcpip                                  : Afd        SERVICE_START_NAME : LocalSystemTo exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runswith LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" fullaccess permissions.Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remoteaccess stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encryptinga string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.

Related news

CVE-2023-26918: File Replication Pro- RealTime, Secure, Offsite Backup & File Sync

Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as LocalSystem. This occurs because %ProgramFiles%\FileReplicationPro allows Everyone:(F) access.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution
Packet Storm