Safend Data Protection Agent (SDPAgent) Privilege Escalation via Unquoted Service Path
Safend Data is vulnerable to a privilege elevation vulnerability in the SDPAgent Windows service file relating to unquoted service paths.
- CVE number: CVE-2012-4761
- Impact: Medium
- Vendor homepage: http://www.wave.com/products/safend-protector
- Vendor notified: 11/09/2012
- Vendor response: This will be fixed in the next release.
- Credit: Joseph Sheridan of ReactionIS
Safend Data (Client software) 3.4.5586.9772. Other versions may also be affected.
The SDPAgent Windows service path has spaces in the path and is not quoted:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe Instead of: "C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"
This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file.
An attacker may be able to elevate privileges to local system level.
This issue will be fixed in the next release.
Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality security testing services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.