Topaz SERVCore Teller Local Privilege Escalation Vulnerability in Installer

A local privilege escalation vulnerability exists in Topaz SERVCore Teller versions 2.14.0-RC2 and 2.14.1. The issue arises from improper permission management in the installation directory of the service binary. This flaw allows unprivileged users to replace the service binary with a malicious executable, which is then executed with SYSTEM privileges upon reboot.

Impact

Exploitation of this vulnerability allows unprivileged local users to execute arbitrary code with SYSTEM privileges, leading to full local privilege escalation, potential installation of a persistent backdoor, and overall system compromise.

Reproduction

The vulnerability can be reproduced by first creating the directory 'C:\ProgramData\SERVCoreTeller\Service' before installing the application. Once the directory is created, the SERVCore Teller installer can be run. After installation, the 'nssm.exe' service binary can be renamed and replaced with a malicious executable. Upon the next system reboot, the Windows service will execute the replaced binary with SYSTEM privileges.