Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation

EDB-ID:

40418

CVE:

N/A

EDB Verified:

Author:

Tulpa

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2016-09-23

Vulnerable App: 
# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.zortam.com/
# Software Link: http://www.zortam.com/download.html
# Version: Software Version 21.15
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
# Shout-out to carbonated and ozzie_offsec

1. Description:

Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.

2. Proof

C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
                                                     NT AUTHORITY\SYSTEM:(ID)F
                                                     BUILTIN\Administrators:(ID)F
                                                     BUILTIN\Users:(ID)R


3. Exploit:

Simply replace zmmspro.exe and wait for execution.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services