ACTIVE-2020-004: IDrive Local Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
IDrive Inc.
CVE ID:
CVE-2020-15351
Affected Products:
- IDrive for Windows prior to version 6.7.3.19
Summary:
IDrive for Windows prior to version 6.7.3.19 installs by default to C:\Program Files(x86)\IDriveWindows with weak folder permissions granting any user modify permission NT AUTHORITY\Authenticated Users:(OI)(CI)(M) to the contents of the directory and it's sub-folders. In addition, the program installs a service called IDriveService which runs as Local system, this will allow any standard user to escalate privileges to NT AUTHORITY\SYSTEM by substituting the service's binary with malicious one.
Mitigation:
The vendor has released a patch in version 6.7.3.19 addressing this vulnerability.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://www.idrive.com/release-info#win
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15351
- https://nvd.nist.gov/vuln/detail/CVE-2020-15351
Disclosure Timeline:
- 06-15-20: ACTIVELabs contacted IDrive support requesting security contact and PGP key
- 06-15-20: IDrive support requested to share the report with them so they can forward it to the appropriate department
- 06-16-20: ACTIVELabs sent security vulnerability report
- 06-18-20: IDrive support shared a patch and requested to test it
- 06-19-20: ACTIVELabs confirmed the patch has nullified the vulnerability and requested timeline for patch release
- 06-22-20: IDrive support stated the patch will be pushed into production by mid of next week
- 06-25-20: IDrive version 6.7.3.19 released
- 06-26-20: ACTIVELabs publishes this advisory
- 06-26-20: ACTIVELabs request CVE from MITRE
- 06-26-20: CVE-2020-15351 assigned