iMonitor EAM Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in iMonitor EAM version 9.6394. The issue arises from a system service that runs with NT AUTHORITY\SYSTEM privileges and includes an insecure update mechanism. This mechanism automatically loads files from a user-writable directory into the application's installation path, where they are executed with elevated privileges. As a result, an attacker can place malicious DLLs or executables in the directory, leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with the malicious payload being executed as NT AUTHORITY\SYSTEM.

Reproduction

The vulnerability can be reproduced by creating a DLL file containing malicious code and compiling it using a suitable compiler. This DLL should be placed in the 'C:\sysupdate\' directory, along with an empty 'finish.txt' file to trigger the update mechanism. After restarting the 'eamusbsrv64.exe' service, the malicious DLL will be executed with SYSTEM privileges.