Submit #778604: Iperius Iperius Backup <= 8.7.2 Incorrect Default Permissionsinfo

TitleIperius Iperius Backup <= 8.7.2 Incorrect Default Permissions
DescriptionIperius Backup <= 8.7.2 allows local privilege escalation to NT AUTHORITY\SYSTEM via encrypted job file injection. The Iperius Backup Service runs under SYSTEM and automatically monitors the directory C:\ProgramData\IperiusBackup\Jobs for .ibj backup job configuration files. This directory has insecure default permissions granting BUILTIN\Users write access (WD,AD,WEA,WA), allowing any authenticated local user to create new files. The application encrypts commands stored in the PreCommand field using AES-128 in ECB mode, but the encryption key is deterministically derived from the system's MachineGuid registry value (HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid), which is readable by all local users. By reverse-engineering this encryption scheme, an attacker can craft a valid .ibj configuration file containing an encrypted arbitrary command in the PreCommand field and place it into the Jobs directory. The service will automatically load and execute the decrypted command under NT AUTHORITY\SYSTEM context, resulting in complete local privilege escalation without requiring GUI interaction or administrative privileges.
Source⚠️ https://github.com/VulnaraByte/iperius-backup-security-advisories
User
 VulnaraByte (UID 96378)
Submission03/12/2026 12:19 (4 months ago)
Moderation04/01/2026 14:02 (20 days later)
StatusDuplicate
VulDB entry353124 [Enter Software Iperius Backup up to 8.7.3 Backup Job Configuration File privileges management]
Points0

Might our Artificial Intelligence support you?

Check our Alexa App!