CVE-2009-2564
published 2009-07-21CVE-2009-2564: NOS Microsystems getPlus Download Manager, as used in Adobe Reader 1.6.2.36 and possibly other versions, Corel getPlus Download Manager before 1.5.0.48, and…
PriorityP336high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
5.60%
91.9th percentile
NOS Microsystems getPlus Download Manager, as used in Adobe Reader 1.6.2.36 and possibly other versions, Corel getPlus Download Manager before 1.5.0.48, and possibly other products, installs NOS\bin\getPlus_HelperSvc.exe with insecure permissions (Everyone:Full Control), which allows local users to gain SYSTEM privileges by replacing getPlus_HelperSvc.exe with a Trojan horse program, as demonstrated by use of getPlus Download Manager within Adobe Reader. NOTE: within Adobe Reader, the scope of this issue is limited because the program is deleted and the associated service is not automatically launched after a successful installation and reboot.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| corel | getplus_download_manager | — | — |
| nos_microsystems | getplus_download_manager | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation
exploitdb·2009-07-21
CVE-2009-2564 Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation
Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation
---
/*
alwaysdirtyneverclean.c
AKA
Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip)
BY
Jeremy Brown 2009 [[email protected]] 07.21.2009
I've been up for nearly 24 hours (only the last few doing research though). This exploit is based on the
brief information provided by Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). Exploiting
improper permissions is fun. A few notes are in order though. The getPlus service (that I tested, via 9.1.2)
isn't installed as an "Automatic" service, therefore making it slightly harder (but not hard) to practically
use to your advantage. But I tested running this code under a GUEST account and it worked pretty good (just
the first time though). Change the
Exploit-DB
Adobe 9.x Related Service - 'getPlus_HelperSvc.exe' Local Privilege Escalation
exploitdb·2009-07-20
CVE-2009-2564 Adobe 9.x Related Service - 'getPlus_HelperSvc.exe' Local Privilege Escalation
Adobe 9.x Related Service - 'getPlus_HelperSvc.exe' Local Privilege Escalation
---
Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
by Nine:Situations:Group
site: http://retrogod.altervista.org/
description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x
vendor: Nos Microsystems
poc:
C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: getPlus(R) Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : getPlus(R) Helper
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Program
http://blogs.adobe.com/psirt/2009/07/local_privilege_escalation_in.htmlhttp://retrogod.altervista.org/9sg_adobe_local.htmlhttp://secunia.com/advisories/35930http://secunia.com/advisories/36331http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.exploit-db.com/exploits/9199http://www.securityfocus.com/archive/1/505095/100/0/threadedhttp://www.securityfocus.com/bid/35740http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/1969http://www.vupen.com/english/advisories/2009/2898https://exchange.xforce.ibmcloud.com/vulnerabilities/54383https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5719http://blogs.adobe.com/psirt/2009/07/local_privilege_escalation_in.htmlhttp://retrogod.altervista.org/9sg_adobe_local.htmlhttp://secunia.com/advisories/35930http://secunia.com/advisories/36331http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.exploit-db.com/exploits/9199http://www.securityfocus.com/archive/1/505095/100/0/threadedhttp://www.securityfocus.com/bid/35740http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/1969http://www.vupen.com/english/advisories/2009/2898https://exchange.xforce.ibmcloud.com/vulnerabilities/54383https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5719
2009-07-21
Published