Nessus Malicious Process Detection Plugin Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1029946|
SecurityTracker URL: http://securitytracker.com/id/1029946
(Links to External Site)
Updated: Apr 15 2014|
Original Entry Date: Mar 21 2014
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.2.1, with plugin set 201402092115|
A vulnerability was reported in Nessus. A local user can obtain elevated privileges on the target system.|
When a Nessus Authenticated Scan is conducted against the target Windows-based system, a local user on the target system can exploit a flaw in the Malicious Process Detection plugin (Plugin ID 59275) to gain System privileges.
The software creates a binary in the system temporary directory and a System-level service executes the binary. A local user can modify the binary to execute arbitrary code with System-level privileges.
The vendor was notified on February 18, 2014.
The original advisory is available at:
Neil Jones of NCC Group reported this vulnerability.
A local user can obtain System-level privileges on the target system.|
The vendor has issued a fix.|
Vendor URL: www.tenable.com (Links to External Site)
Access control error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: NCC00643 Technical Advisory: Nessus Authenticated Scan Local Privilege Escalation|
Title Nessus Authenticated Scan - Local Privilege Escalation
Release Date 20 March 2014
Discoverer Neil Jones
Vendor Reference RWZ-21387-181
Systems Affected Nessus appliance engine version 5.2.1 the plugin set
Discovered 29 January 2014
Released 29 January 2014
Reported 18 February 2014
Fixed 6 March 2014
Published 20 March 2014
An authenticated Nessus scan of a target machine may result in local
privilege escalation on that target machine if scanned with the Malicious
Process Detection plugin (Plugin ID 59275). The Malicious Process Detection
plugin created a service which ran as SYSTEM however this binary could be
modified by a low level user allowing for privilege escalation.
The main attack vector for this vulnerability would be within large
organisations which routinely run authenticated scans for security
auditing purposes, once a user gains SYSTEM access on one machine they
would be likely to be able to escalate their privileges to that of Domain
Administrator by other means.
The vulnerability was caused by the Malicious Process Detection plugin
(Plugin ID 59275), this plugin created a service which gathered privileged
information from the target system. The plugin created a binary in the
System Temp folder which had a static name for example this would be
A service was then created to run this binary, the service created was set
to automatically start upon boot. As a low level user the binary should be
created before the scan, once the scan is in progress the binary is
overwritten by the Nessus plugin, once the Nessus plugin overwrites the
binary the low level user can once again overwrite the binary the machine
can be rebooted by the low level user so the binary is automatically ran
upon system boot.
As the Nessus scan is still in progress upon the machine rebooting, the
binary and the service are deleted automatically during the clean-up
process of the plugin.
The plugin has been updated and the vulnerability can be patched by
updating the plugins on your scanner
Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
Open Source https://github.com/nccgroup
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.