Home page logo

bugtraq logo Bugtraq mailing list archives

PeanutHull Local Privilege Escalation Vulnerability
From: "Sowhat ." <smaillist () gmail com>
Date: Wed, 20 Jul 2005 17:07:28 +0800

PeanutHull Local Privilege Escalation Vulnerability

by Sowhat

EN: http://secway.org/advisory/AD20050720EN.txt
CN: http://secway.org/advisory/AD20050720CN.txt

Product Affected:

PeanutHull <= 3.0 Beta 5 


Oray Inc. is the world's biggest DDNS (Dynamic Domain Name Service)
 Provider (According to their WEBSITE). PeanutHull is the DDNS client
For more information ,see http://www.oray.net 


The vulnerability is caused due to SYSTEM privileges are not 
dropped when accessing the PeanutHull from the System Tray icon.

A local non-privileged user can access the application via the 
system tray and can execute commands with Local System privileges.

1. Double click on the PeanutHull icon in the Taskbar to open 
   the PeanutHull window.
2. Click Help, click BBS
3. Type C:\ in the poped up IE Address BAR
4. Navagate to %WINDIR%\System32\
5. click CMD.exe 
6. A new command shell will open with SYSTEM privileges

Exploitng this vulnerability allows local non-privileged user
to obtain SYSTEM privilege.

Vendor Response:

2005.07.13 Vendor notified via email 
2005.07.14 Vendor responsed that this problem will be fixed 
           in the 3.0 Final Version.
2005.07.20 PeanutHull 3.0 Released
2005.07.20 So I released this advisory

Please update to PeanutHull 3.0

  By Date           By Thread  

Current thread:
  • PeanutHull Local Privilege Escalation Vulnerability Sowhat . (Jul 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]