[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAILENABLE-MULTIPLE-PRIVILEGE-ESCALATIONS.txt [+] ISR: ApparitionSec Vendor: =================== www.mailenable.com Products: ============ MailEnable MailEnable provides Windows Mail Server software with features comparable to Microsoft Exchange. It provides powerful messaging services like Exchange ActiveSync, IMAP, SMTP, POP3 and collaboration tools such as calendaring (CalDAV), contacts (CardDAV), tasks and notes. Vulnerability Type: =================== Local Privilege Escalation (Unquoted Service Path) CVE Reference: ============== N/A Security Issue: ================== The following MailEnable product services contain multiple local privilege escalation vectors, potentially allowing unprivileged user to gain code execution as SYSTEM via unquoted service paths. Reference: https://www.mailenable.com/Standard-ReleaseNotes.txt c:\>sc qc MELCS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MELCS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MELSC.EXE LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MailEnable List Connector DEPENDENCIES : SERVICE_START_NAME : LocalSystem c:\>sc qc MEMTAS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MEMTAS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEMTA.EXE LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MailEnable Mail Transfer Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem c:\>sc qc MEPOPS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MEPOPS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEPOPS.EXE LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MailEnable POP Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem c:\>sc qc MEPOCS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MEPOCS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEPOC.EXE LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MailEnable Postoffice Connector DEPENDENCIES : SERVICE_START_NAME : LocalSystem c:\>sc qc MESMTPCS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MESMTPCS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MESMTPC.EXE LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MailEnable SMTP Connector DEPENDENCIES : SERVICE_START_NAME : LocalSystem Disclosure Timeline: ===================================== Vendor Notification: January 5, 2017 Vendor Acknowledgement: January 5, 2017 Vendor Fix: January 5, 2017 February 12, 2017 : Public Disclosure Exploit/POC: ============ 1) Create EXE named 'Program.exe' 2) Inject 'Program.exe' into the path of the service. After service restart or system reboot, authorized local user can then execute arbitrary code with elevated privileges as SYSTEM. Network Access: =============== Local Severity: ========= Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx