Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-002: KioWare Server Privilege Escalation Vulnerability

Vulnerability Type:

Privilege Escalation

Vendors:

KioWare

CVE ID:

CVE-2018-18435

Affected Products:

KioWare Server version 4.9.6 and older

Summary:

KioWare Server version 4.9.6 and older installs by default to C:\kioware_com with weak folder permissions granting any user full permission Everyone: (F) to the contents of the directory and it's sub-folders. In addition, the program installs a service called KWSService which runs as Localsystem, this will allow any user to escalate privileges to NT AUTHORITY\SYSTEM by substituting the service's binary with a malicious one.

Mitigation:

Upgrade to KioWare Server version 4.9.9 or install the provided security patch.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 10-13-18: ACTIVELabs Contacted vendor
  • 10-15-18: Vendor requested full report and PoC
  • 10-15-18: Full report and PoC sent
  • 10-16-18: Vendor was able to reproduce/validate the issue and filed a feature request
  • 10-16-18: ACTIVELabs requested vendor to provide timeline for patch
  • 10-16-18: ACTIVELabs requested CVE ID
  • 10-17-18: CVE-2018-18435 assigned
  • 10-17-18: Vendor requested 90 days timeline to patch/QA test
  • 12-20-18: Vendor sent patch and requested feedback
  • 12-22-18: Suggestions/modifications sent to Vendor
  • 12-24-18: Vendor sent new patch and requested feedback
  • 12-25-18: New Suggestions/modifications sent to Vendor
  • 12-26-18: Vendor sent new patch and requested feedback
  • 12-27-18: Vendor was notified that the latest patch is sufficient
  • 12-31-18: Vendor released new version (v4.9.9) and patch as well
  • 01-07-19: Vulnerability has been made public
  • 03-18-19: ACTIVELabs publishes this advisory