Realtek 11n Wireless LAN utility - Local Privilege Escalation

EDB-ID:

36062

CVE:





Platform:

Windows

Date:

2015-02-13


Realtek 11n Wireless LAN utility privilege escalation.

Vulnerability Discovered by Humberto Cabrera @dniz0r
http://zeroscience.mk @zeroscience

Summary:
	⁃	Realtek 11n Wireless LAN utility is deployed and used by realtek
alfa cards and more in order to help diagnose and view wireless card
properties.

Description:
  -	Unquoted Privilege escalation that allows a user to gain SYSTEM
privileges.

Date - 12 Feb 2015
Version: 700.1631.106.2011
Vendor: www.realtek.com.tw
Advisory URL:
https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/
Tested on: Win7

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: realtek11ncu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\REALTEK\11n USB Wireless LAN
Utility\RtlService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Realtek11nCU
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Windows\system32>sc qc realtek11nsu
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: realtek11nsu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\REALTEK\Wireless LAN
Utility\RtlService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Realtek11nSU
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem