Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation
Insecure Permissions vulnerability in Macro Expert 4.9.4 and versions below allows a local unprivileged attacker to execute arbitrary code as SYSTEM via a crafted script by replacing the MacroService.exe binary existing within a controllable path.
servicename: Macro Expert
Path permission: c:\program files (x86)\grasssoft\macro expert
C:\>icacls "C:\Program Files (x86)\GrassSoft\Macro Expert"
C:\Program Files (x86)\GrassSoft\Macro Expert BUILTIN\Users:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Files in this path can be modified by unprivileged users, malicious process and/or threat actor. And the service "Macro Expert" which runs under SYSTEM context, will invoke the "MacroService.exe" in this directory. If a malicious user replaces the executable named "MacroService.exe" within this directory, the service will inadvertently execute these malicious binaries upon reboot, running them with SYSTEM privileges.
Alaa Kachouh