Safend Data Protection Agent (SDPAgent) Privilege Escalation via Unquoted Service Path
Summary
Safend Data is vulnerable to a privilege elevation vulnerability in the SDPAgent Windows service file relating to unquoted service paths.
- CVE number: CVE-2012-4761
- Impact: Medium
- Vendor homepage: http://www.wave.com/products/safend-protector
- Vendor notified: 11/09/2012
- Vendor response: This will be fixed in the next release.
- Credit: Joseph Sheridan of ReactionIS
Affected Products
Safend Data (Client software) 3.4.5586.9772. Other versions may also be affected.
Details
The SDPAgent Windows service path has spaces in the path and is not quoted:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe Instead of: "C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"
This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file.
Impact
An attacker may be able to elevate privileges to local system level.
Solution
This issue will be fixed in the next release.
About ReactionIS
Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality security testing services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.