ACTIVE-2019-002: KioWare Server Privilege Escalation Vulnerability
Vulnerability Type:
Privilege Escalation
Vendors:
KioWare
CVE ID:
CVE-2018-18435
Affected Products:
KioWare Server version 4.9.6 and older
Summary:
KioWare Server version 4.9.6 and older installs by default to C:\kioware_com with weak folder permissions granting any user full permission Everyone: (F) to the contents of the directory and it's sub-folders. In addition, the program installs a service called KWSService which runs as Localsystem, this will allow any user to escalate privileges to NT AUTHORITY\SYSTEM by substituting the service's binary with a malicious one.
Mitigation:
Upgrade to KioWare Server version 4.9.9 or install the provided security patch.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18435
- https://nvd.nist.gov/vuln/detail/CVE-2018-18435
- https://m.kioware.com/news/kioware-press-releases/kioware_server_security_patch_update
- https://www.kioware.com/patch.aspx
Disclosure Timeline:
- 10-13-18: ACTIVELabs Contacted vendor
- 10-15-18: Vendor requested full report and PoC
- 10-15-18: Full report and PoC sent
- 10-16-18: Vendor was able to reproduce/validate the issue and filed a feature request
- 10-16-18: ACTIVELabs requested vendor to provide timeline for patch
- 10-16-18: ACTIVELabs requested CVE ID
- 10-17-18: CVE-2018-18435 assigned
- 10-17-18: Vendor requested 90 days timeline to patch/QA test
- 12-20-18: Vendor sent patch and requested feedback
- 12-22-18: Suggestions/modifications sent to Vendor
- 12-24-18: Vendor sent new patch and requested feedback
- 12-25-18: New Suggestions/modifications sent to Vendor
- 12-26-18: Vendor sent new patch and requested feedback
- 12-27-18: Vendor was notified that the latest patch is sufficient
- 12-31-18: Vendor released new version (v4.9.9) and patch as well
- 01-07-19: Vulnerability has been made public
- 03-18-19: ACTIVELabs publishes this advisory