SOUND4 Server Service 4.0.2 Local Privilege Escalation

SOUND4 Server Service 4.0.2 Local Privilege Escalation

Vendor: SOUND4 Ltd.

Product web page: https://www.sound4.com | https://www.sound4.biz

Version affected: 4.1.102

Summary: SOUND4 Windows Server Service.

Desc: An unquoted issue in the search path is affecting this application

The service “SOUND4 Server” for Windows. It could allow for an

Authorized but not privileged local user can execute any code

You will be granted higher privileges within the system. To make a successful attempt, you will need to

Local user will be able insert their code into the system root path unnoticed

by any OS or security application where it might be executed

During application startup and reboot. If the application startup or reboot is successful, then the code of local users will be generated

You would be granted the highest privileges in the application.

Windows 10 Home 64 Bit (build 9200).

SOUND4 Server v4.1.102

SOUND4 Remote Control v4.3.17

Gjoko “LiquidWorm” Krstic discovered vulnerability

Macedonian Information Security Research and Development Laboratory

Zero Science Lab – https://www.zeroscience.mk – @zeroscience

ZSL-2022-571

Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php

26.09.2022

—

C:>sc qc “SOUND4 Server”

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SOUND4 server

TYPE: 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL: 1 NORMAL

BINARY_PATH_NAME : C:Program FilesSOUND4ServerSOUND4 Server.exe –service

LOAD_ORDER_GROUP :

TAG: 0

DISPLAY_NAME: SOUND4 Server

DEPENDENCIES:

SERVICE_START_NAME: LocalSystem

C:>cacls “C:Program FilesSOUND4ServerSOUND4 Server.exe”

C:Program FilesSOUND4ServerSOUND4 Server.exe NT AUTHORITYSYSTEM:(ID)F

BUILTINAdministrators:(ID)F

BUILTINUsers:(ID)R

APPLICATION PAKAGE AUTHORITYALL APKLICATION PACKAGES (ID)R

APPLICATION PAKAGE AUTHORITYALL RESTRICTED APKLICATION PACKAGES (ID)R

C:Program FilesSOUND4Server>”SOUND4 Server.exe” -V

4.1.102