Safend Data Protection Agent (SDBAgent) Privilege Escalation via WRITE_DAC privileges
The Safend Data Protection Agent is vulnerable to a privilege elevation vulnerability in the SDBAgent Windows service file.
- CVE number: CVE-2012-4760
- Impact: Medium
- Vendor homepage: http://www.wave.com/products/safend-protector
- Vendor notified: 11/09/2012
- Vendor response (updated 4/12/2012): WRITE_DAC access: despite the fact that indeed the permission allows such change we enforce even more powerful protection on both SDPAgent.exe and SDBAgent.exe and prevent any attempt to modify (as part of all versions) or even rename such file (as part of latest version you did not test) so the vulnerability is not exploitable.
- Credit: Joseph Sheridan of ReactionIS
Safend Data (Client software) 3.4.5586.9772. Other versions may also be affected.
The SDBagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe BUILTIN\Users:(special access:) READ_CONTROL WRITE_DAC SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_READ_EA FILE_EXECUTE FILE_READ_ATTRIBUTES NT AUTHORITY\SYSTEM:F BUILTIN\Users:R BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F
An attacker may be able to elevate privileges to local administrator level.
This issue will be fixed in the next release.
Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality security testing services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.