| tiêu đề | Iperius Iperius Backup <= 8.7.2 Incorrect Default Permissions |
|---|
| Mô tả | Iperius Backup <= 8.7.2 allows local privilege escalation to NT AUTHORITY\SYSTEM via encrypted job file injection. The Iperius Backup Service runs under SYSTEM and automatically monitors the directory C:\ProgramData\IperiusBackup\Jobs for .ibj backup job configuration files. This directory has insecure default permissions granting BUILTIN\Users write access (WD,AD,WEA,WA), allowing any authenticated local user to create new files. The application encrypts commands stored in the PreCommand field using AES-128 in ECB mode, but the encryption key is deterministically derived from the system's MachineGuid registry value (HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid), which is readable by all local users. By reverse-engineering this encryption scheme, an attacker can craft a valid .ibj configuration file containing an encrypted arbitrary command in the PreCommand field and place it into the Jobs directory. The service will automatically load and execute the decrypted command under NT AUTHORITY\SYSTEM context, resulting in complete local privilege escalation without requiring GUI interaction or administrative privileges. |
|---|
| Nguồn | ⚠️ https://github.com/VulnaraByte/iperius-backup-security-advisories |
|---|
| Người dùng | VulnaraByte (UID 96378) |
|---|
| Đệ trình | 12/03/2026 12:19 (cách đây 4 các tháng) |
|---|
| Kiểm duyệt | 01/04/2026 14:02 (20 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 353124 [Enter Software Iperius Backup đến 8.7.3 Backup Job Configuration File nâng cao đặc quyền] |
|---|
| điểm | 0 |
|---|