Radarr Insecure File Permissions Vulnerability in Service Component Allowing Local Privilege Escalation

A vulnerability exists in Radarr version 5.28.0.10274, specifically within the service component file 'Radarr.Console.exe'. This vulnerability arises from incorrect default permissions that allow local, low-privileged users to modify or replace the service binary. If the Radarr service is running under a high-privilege account, such as LocalSystem, the altered binary could be executed with elevated privileges after a service restart or system reboot, potentially leading to unauthorized access or control.

Impact

Exploitation of this vulnerability could allow a local user with write access to the Radarr service binary to gain SYSTEM-level code execution, particularly if the service is running as SYSTEM. This could result in a significant compromise of the host's security.

Reproduction

To reproduce this vulnerability, first rename the original 'Radarr.Console.exe' binary to a different name. Then, save a malicious executable in the same directory under the original filename. When the Radarr service is restarted or the system is rebooted, the service will execute the modified binary with the same privileges as the Radarr service account. This demonstrates how the vulnerability can be exploited to escalate privileges.