CVE-2017-7884 in adk0212 APC UPS Daemoninfo

Summary

by MITRE

In Adam Kropelin adk0212 APC UPS Daemon through 3.14.14, the default installation of APCUPSD allows a local authenticated, but unprivileged, user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable that will run with SYSTEM privileges at startup. This occurs because of "RW NT AUTHORITY\Authenticated Users" permissions for %SYSTEMDRIVE%\apcupsd\bin\apcupsd.exe.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/29/2020

The vulnerability CVE-2017-7884 affects the Adam Kropelin adk0212 APC UPS Daemon version 3.14.14 and earlier, representing a critical privilege escalation flaw that undermines system security through improper access controls. This issue stems from the default installation configuration of APCUPSD which grants write permissions to the authenticated users group, creating a dangerous attack surface that allows local users to execute malicious code with SYSTEM privileges. The vulnerability specifically targets the service executable apcupsd.exe located in the system drive directory, where the default permissions include "RW NT AUTHORITY\Authenticated Users" allowing unauthorized modifications.

The technical exploitation of this vulnerability follows a straightforward but dangerous methodology that leverages Windows file system permissions and service execution mechanisms. An authenticated but unprivileged user can replace the legitimate apcupsd.exe binary with a malicious executable that will automatically execute with SYSTEM privileges during the next service startup cycle. This privilege escalation occurs because the service runs with elevated privileges while the installation directory permissions permit modification by authenticated users. The flaw essentially creates a backdoor execution path where any user with valid credentials can gain SYSTEM-level access without requiring administrative privileges or complex exploitation techniques.

The operational impact of CVE-2017-7884 extends beyond simple privilege escalation to encompass complete system compromise and persistent access. Once exploited, the malicious executable gains full control over the target system, enabling attackers to modify system files, install additional malware, access sensitive data, and establish persistence mechanisms. This vulnerability particularly affects enterprise environments where APCUPSD is deployed for power management, as it provides attackers with a legitimate service execution path that bypasses many standard security controls and monitoring systems. The attack vector is especially concerning because it requires minimal privileges and leverages legitimate system components, making detection more challenging.

Security practitioners should address this vulnerability through immediate remediation actions that include modifying file permissions on the APCUPSD installation directory to restrict write access to only authorized administrators. The recommended mitigation involves removing the "RW NT AUTHORITY\Authenticated Users" permissions from the %SYSTEMDRIVE%pcupsdinpcupsd.exe path and implementing proper access control lists that align with the principle of least privilege. Additionally, organizations should conduct comprehensive security audits of all installed services and their associated file permissions to identify similar misconfigurations. This vulnerability aligns with CWE-276, which addresses improper file permissions, and maps to ATT&CK technique T1068, privilege escalation through service manipulation, making it a critical concern for security teams implementing defense-in-depth strategies.

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!