Asseco SEE iBank FX Client <= 2.0.9.3 Local Privilege Escalation Vulnerability Vendor: Asseco SEE Product web page: http://www.asseco.com Affected version: 2.0.9.3 (Build 22.06.2011) - Desktop/Enterprise Edition 1.2 1.1.5.1270 (Service Pack 5) - Desktop Edition 1.1.5.1247 1.0 Application download resource: http://24x7.com.mk/Download.aspx http://www.24x7.rs/eng/content.asp?idmenu1=23&idmenu2=33 Summary: FX Client is an offline application for e-banking that is intended only for legal entities. Desc: The application is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (full) for the 'Everyone' and 'Users' group, for the 'RichClient.exe' and 'fxclient.exe' binary files making them world-writable. After you replace the binary with your rootkit, on reboot you get SYSTEM privileges. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows XP Professional SP3 (EN) 32bit Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5168 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5168.php CWE ID: 276 CWE URL: https://cwe.mitre.org/data/definitions/276.html 10.01.2014 --- C:\Program Files (x86)\PEXIM\FXClient>icacls RichClient.exe RichClient.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(F) Successfully processed 1 files; Failed processing 0 files C:\Program Files (x86)\PEXIM\FXClient> -- C:\Program Files (x86)\Pexim Solutions\FX Client>icacls fxclient.exe fxclient.exe Everyone:(F) NT AUTHORITY\SYSTEM:(F) Successfully processed 1 files; Failed processing 0 files C:\Program Files (x86)\Pexim Solutions\FX Client>