SevenCs ORCA G2 Local Privilege Escalation Vulnerability via TOCTOU Race Condition

A local privilege escalation vulnerability has been identified in SevenCs ORCA G2 version 2.0.1.35, specifically within the EC2007 Kernel v5.22. This vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management process. The regService application, which operates with SYSTEM privileges, creates a directory and writes files without checking if the path is an NTFS reparse point. Exploiting this race condition allows an attacker to substitute the target directory with a junction to a user-controlled location, causing the SYSTEM-level process to drop binaries in an area fully managed by the attacker. This access enables arbitrary code execution with SYSTEM rights. The vulnerability can be exploited by any standard user with a single User Account Control (UAC) confirmation, making it particularly dangerous in real-world scenarios.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with arbitrary code execution as the SYSTEM user. It also enables the installation of persistent backdoors, the disabling of security measures, and the compromise of system integrity and availability.

Reproduction

To reproduce this vulnerability, a standard user must initiate the regTest.exe application and accept the UAC prompt, which is a normal part of the licensing process. Once the regService, running with SYSTEM privileges, creates the necessary directory, the attacker can delete this directory and replace it with an NTFS junction pointing to a user-writable location, such as the Desktop. As regService continues its execution, it will inadvertently copy SYSTEM-owned binaries into the redirected path, allowing the attacker to gain control over these executables and escalate privileges.

Remediation

SevenCs is advised to eliminate TOCTOU patterns by avoiding separate existence checks from file operations, using atomic APIs when possible. The company should also detect and block reparse points, open directories safely, canonicalize paths, harden directory permissions, and reduce SYSTEM-level filesystem operations.