Iperius Backup Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Iperius Backup version 6.1.0. This vulnerability allows low-privilege users to execute arbitrary programs with elevated privileges by creating and configuring backup jobs. The executed programs run with the privileges of the Iperius Backup Service account, which can be Local System or Administrator. This exploitation leads to unauthorized privilege escalation and arbitrary code execution.

Impact

Exploitation of this vulnerability allows local users to escalate privileges and execute arbitrary code with elevated rights, either as Local System or an Administrator.

Reproduction

To reproduce this vulnerability, log in as a low-privilege user on a system with Iperius Backup and Iperius Backup Service installed. Once logged in, create a batch file that calls a program, such as netcat, and send the command prompt back to an attacking machine. After setting up a listener on the attacking machine, open Iperius Backup and create a new backup job. During the job setup, specify a program to run before the backup that points to the batch file created earlier. Once the job is created, it can be run with elevated privileges, executing the specified program as the Iperius Backup Service account.

Remediation

To address this vulnerability, remove the 'Everyone' permission from the folder 'C:\ProgramData\IperiusBackup'.