283 software vendors have fixed 921 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.
Patch Available Upon Disclosure
|2013 Q4: 67%||2013 Q1: 100%|
|2013 Q3: 77%||2012 Q4: 68%|
|2013 Q2: 92%||2012 Q3: 69%|
Vendor Average Time to Patch
|2013 Q4: 8 days||2013 Q1: 13 days|
|2013 Q3: 13 days||2012 Q4: 26 days|
|2013 Q2: 30 days||2012 Q3: 22 days|
Privilege Escalation Vulnerability in Microsoft Windows
|Vulnerable Versions:||Windows Vista, Windows Server 2008, Windows 7, Windows 8 RP|
|Tested Version:||Windows Vista Ultimate SP1, Windows 2008 SP2, Windows 7 Professional SP1, Windows 8 RP|
|Advisory Publication:||August 7, 2012 [without technical details]|
|Vendor Notification:||August 7, 2012|
|Public Disclosure:||October 9, 2012|
|Latest Update:||October 8, 2012|
|Vulnerability Type:||Uncontrolled Search Path Element [CWE-427]|
|CVSSv2 Base Score:||6 (AV:L/AC:H/Au:S/C:C/I:C/A:C)|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab has discovered a vulnerability in Microsoft Windows which could be exploited to escalate privileges under certain conditions.
The vulnerability exists due to the “IKE and AuthIP IPsec Keying Modules” system service, which tries to load the “wlbsctrl.dll” DLL that is missing after default Windows installation.
- Microsoft Windows Vista
Moreover the service runs with SYSTEM privileges by default. Therefore an unprivileged local user who has write access to a default or any other search PATH locations can execute arbitrary code on the vulnerable system with the privileges of the SYSTEM account.
When directory is created in the C:\ root folder, access permissions for files and subfolders are inherited from the parent directory. By default members of the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA privileges to all directories created within the C:\ root folder. This also applies to folders created by application's installer. The vulnerability is introduced to the system when software does not change default permissions to installation directory and adds its installation path to the PATH system environment variable. Any member of the Authenticated users group can place malicious file named “wlbsctrl.dll” into that folder and execute arbitrary code on the system after simple reboot.
A brief research confirmed that the following well-known software makes the weakness exploitable when installed into the C:\ root folder:
- ActivePerl 220.127.116.111 (default installation): CVE-2012-5377
- ActiveTcl 8.5.12 (default installation): CVE-2012-5378
- ActivePython 18.104.22.168 (option to modify the PATH variable is inactive, but can be manually activated): CVE-2012-5379
- Ruby installer 1.9.3-p194 (option to modify the PATH variable is inactive, but can be manually activated): CVE-2012-5380
- PHP 5.3.17 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\PHP): CVE-2012-5381
- Zend Server 5.6.0 SP4 (must be explicitly configured to be installed into C root folder, e.g. C:\Zend): CVE-2012-5382
- MySQL 5.5.28 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\MySQL): CVE-2012-5383
How to exploit:
|Official MSRC answer: |
Microsoft has thoroughly investigated the claim and found that this is not a product vulnerability. In the scenario in question, the default security configuration of the system has been weakened by a third-party application. Customers who are concerned with this situation can remove the directory in question from PATH or restrict access to the third-party’s application directory to better protect themselves against these scenarios.
Microsoft requested and validated to disclose the advisory on the 9th of October 2012.
| High-Tech Bridge Advisory HTB23108 - https://www.htbridge.com/advisory/HTB23108 - Privilege Escalation Vulnerability in Microsoft Windows|
 Microsoft Windows - http://www.microsoft.com - Microsoft Windows is a series of graphical interface operating systems developed, marketed, and sold by Microsoft.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.