AspEmail Privilege Escalation Vulnerability

A binary permission vulnerability allowing local users to escalate privileges has been identified in AspEmail version 5.6.0.2. This vulnerability arises from the Persits Software EmailAgent service, which has full write permissions in the BIN directory. Attackers can exploit this by replacing the service executable with a malicious one, thereby gaining elevated system access.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with the injected executable running under the LocalSystem account, which has high-level privileges on the system.

Reproduction

The vulnerability can be reproduced by first confirming that the 'Persits Software EmailAgent' service is running. Once verified, the 'BIN' directory of the service can be accessed and modified due to incorrect permission assignments. After taking ownership of the directory and restoring full permissions, a malicious executable can be uploaded and renamed to replace the original 'EmailAgent.exe' file. This modified executable will be executed by the service, allowing for privilege escalation.

Remediation

Users are advised to update to AspEmail versions through 5.6.0.4 or 5.6.0.5, where this vulnerability has been addressed.