| Título | SOFTLAND FBackup 9.9 Link Following |
|---|
| Descrição | NAME OF VULNERABILITY: Exploit File Write to Escalate Privilege in FBackup
1. Vulnerability Title
FBackup, bService.exe, EoP
2. High-level overview of the vulnerability and the possible effect of using it
A non-privileged user can exploit the vulnerability to write an arbitrary file to escalate the privilege.
3. Exact product that was found to be vulnerable including complete version information
FBackup 9.9
4. Root Cause Analysis
a. There is a feature in FBackup that backups and restores directories and files. It expects users to choose a directory they want to backup, then they can restore the directory and the files in it at any time.
b. If a victim backups any file which can be modified by an attacker with normal-user privilege, the attacker can modify the file with the content containing a malicious dll that executes cmd when loaded before the victim backups it.
c. If any file exists while restoring the directory, a check box pops up and asks whether to overwrite the file.
d. After the vicitim clicks “Overwrite”, because FBackup doesn't lock the directory and the file before overwriting the file, the attacker can write to any file with bService.exe’s privilege.
e. According to the awesome research [Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks), by modifying the target directory to a junction to `\RPC CONTROL\` and create a native symlink to other files, an attacker can write to an arbitrary file. Then the attacker can elevate the privilege by writing `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
5. Proof-of-Concept
a. Install FBackup.
b. Compile the PoC by changing FolderContentsDeleteToFolderDelete.cpp in [FilesystemEoPs](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs) with the content of FolderContentsWriteToSystem.cpp in the attachment. Or directly use FolderContentsWriteToSystem.exe in the attachment.
c. Put trick.pdf (in fact a malicious DLL executing cmd) in the attachment to any directory that can be written by a normal user, e.g. C:\Windows\Temp.
d. Backup the directory containing trick.pdf.
e. Run `FolderContentsWriteToSystem.exe /target "C:\Program Files\Common Files\microsoft shared\ink\HID.dll" /initial C:\Windows\Temp`
f. Restore the directory and click “Overwrite” when asked whether to overwrite the file.
g. After running it, a cmd.exe with SYSTEM privilege will pop up by executing virtual keyboard before login.
6. Software Download Link
a. https://www.fbackup.com/
7. Other
a. The testing environment is in Windows 10 1909, but the PoC should work in the latest win11.
b. Disable Windows Defender before testing.
c. The source code of trick.pdf is malicious_dll.cpp in the attachment.
d. In the exploit scenario, the victim is supposed to be Administrator, and the attacker is a normal user. |
|---|
| Utilizador | Zeze7w (UID 40823) |
|---|
| Submissão | 04/02/2026 16h41 (há 3 meses) |
|---|
| Moderação | 17/02/2026 14h24 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 346279 [Softland FBackup até 9.9 Backup/Restore HID.dll Elevação de Privilégios] |
|---|
| Pontos | 17 |
|---|