IDrive Windows Client Privilege Escalation Vulnerability Allowing Arbitrary Code Execution

A local privilege escalation vulnerability has been identified in the IDrive Cloud Backup Client for Windows, specifically in versions 7.0.0.63 and earlier. The issue arises because the 'id_service.exe' process runs with elevated SYSTEM privileges and regularly accesses several files in the 'C:\ProgramData\IDrive\' directory. These files, which can be modified by any standard user, are read by the service as UTF16-LE encoded arguments for process execution. An attacker can exploit this by overwriting existing files or creating new ones that direct the service to execute arbitrary executables or scripts, all under the SYSTEM account.

Impact

Exploitation of this vulnerability allows authenticated local users to execute arbitrary code with SYSTEM privileges on the affected Windows device, potentially leading to full control over the machine.

Remediation

IDrive is currently developing a patch for this vulnerability. Users should monitor IDrive releases and update to the latest version once available. In the meantime, it is recommended to restrict write permissions in the affected directory and use additional controls such as EDR monitoring and Group Policies to prevent unauthorized file modifications.