[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n
<\/span> Binary planting is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to a local or remote file system in order to trick a vulnerable application to load and execute it.<\/p>\n The service StarfaceUccApiRegistryService<\/em> registered in the application STARFACE UCC Client is prone to binary planting. This means, an unprivileged user can manipulate the service, which runs as administrator. In consequence, every user can execute software with administrative privileges.<\/p>\n <\/span><\/p>\n The registered service StarfaceUccApiRegistryService<\/em> in the process UccApiRegistryService.exe<\/em> is started as LocalSystem<\/em>. At the same time, the group \u201eeveryone\u201c and the group \u201einteractive\u201c users can configure the service. In consequence, all users can execute software with administrative privileges.<\/p>\n The security descriptor written in the Security Descriptor Definition Language (SDDL) means:<\/p>\n [\/et_pb_text][et_pb_text module_id=\"x-code\" _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Prefix of S: System Access Control List (SACL) D:(A;;CCLCRPWPDTLOCRSDRCWDWO;;;IU) - Alias IU (Interactively logged-on user) has WD (Modify permissions) C:\\Program Files (x86)\\Windows Resource Kits\\Tools>sc qc StarfaceUccApiRegistryService SERVICE_NAME: StarfaceUccApiRegistryService C:\\Program Files (x86)\\Windows Resource Kits\\Tools>sc sdshow StarfaceUccApiRegistryService<\/p>\n D:(A;;CCLCRPWPDTLOCRSDRCWDWO;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n The vulnerability is demonstrated by adding a new local administrator. In order to do this, the <\/span>binpath<\/em> of the service is manipulated. Then, the service is restarted.<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2020-0006-1.jpg\" title_text=\"usd-security-advisories-usd-2020-0006-1\" _builder_version=\"4.9.4\" _module_preset=\"default\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n The service permissions should be restricted so that only administrators can configure the service. If possible, the service should run without administrator privileges.<\/span><\/p>\n https:\/\/owasp.org\/www-community\/attacks\/Binary_planting<\/a><\/p>\n This security vulnerabilities were found by Tobias Neitzel and Niklas Bessler of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2020-0006 | STARFACE UCC Client v6.7.0.180 Advisory ID: usd-2020-0006CVE Number: CVE-2020-10515Affected Product: STARFACE UCC ClientAffected Version: v6.7.0.180Vulnerability Type: Binary PlantingSecurity Risk: HighVendor URL: https:\/\/www.starface.com\/Vendor Status: Fixed in v6.7.1.204 Description Binary planting is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to a local or remote […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16665","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16665"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16665\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advisory ID<\/strong>: usd-2020-0006<\/span>
CVE Number<\/strong>: CVE-2020-10515<\/span>
Affected Product<\/strong>: STARFACE UCC Client<\/span>
Affected Version<\/strong>: v6.7.0.180<\/span>
Vulnerability Type<\/strong>: Binary Planting<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/www.starface.com\/<\/a><\/span>
Vendor Status<\/strong>: Fixed in v6.7.1.204<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
Prefix of D: Discretionary ACL (DACL)<\/p>\n
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) - Alias WD (Everyone) has WD (Modify permissions)<\/p>\n
[SC] QueryServiceConfig ERFOLG<\/p>\n
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Program Files\\STARFACE\\UC Client\\UccApiRegistryService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : STARFACE TAPI Support Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem<\/p>\nFix<\/h3>\n
<\/h3>\n
References<\/h3>\n
<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n