Lotus Notes Diagnostic Tool 8.5/9.0 - Local Privilege Escalation

EDB-ID:

42605

CVE:

2015-0179

EDB Verified:

Author:

ParagonSec

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2017-09-02

Vulnerable App: 
# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation
# Date: 02-09-2017
# Exploit Author: ParagonSec
# Website: https://github.com/paragonsec
# Version: 8.5 & 9.0
# Tested on: Windows 7 Enterprise
# CVE: CVE-2015-0179
# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029
# Category: Local & Privilege Escalation Exploit


1. Description

Lotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights. 
This can be leveraged to run a program under the System context and elevate 
local privileges.


2. Proof of Concept

First you need to execute nsd.exe under the monitor/CLI mode:

> nsd.exe -monitor

Next, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.

nsd> LOAD CMD

You will see that cmd is opened as System now.

Also, NSD can be used to attach, kill processes or create memory dumps under the System context.


3. Solution:

This has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services