NesterSoft WorkTime Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in NesterSoft WorkTime versions through 11.8.8. This vulnerability allows an attacker to elevate privileges on the local system to NT Authority\SYSTEM by exploiting the update behavior of the WorkTime monitoring daemon. To execute this attack, a malicious executable must be named WTWatch.exe and placed in the C:\ProgramData\wta\ClientExe directory, which is writable by 'Everyone'. Once dropped, the executable is executed by the WorkTime monitoring daemon with elevated privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to NT Authority\SYSTEM on the local system.

Reproduction

To reproduce this vulnerability, first create a malicious executable that will be executed with elevated privileges. This can be done by writing a C program that includes the desired payload, adding versioning information to the executable, and linking it correctly. Once the executable is created, rename it to WTWatch.exe and place it in the C:\ProgramData\wta\ClientExe directory. The WorkTime monitoring daemon will then execute the dropped executable as NT Authority\SYSTEM, resulting in elevated privileges.