Menu

Search for hundreds of thousands of exploits

"CCH Wolters Kluwer PFX Engagement 7.1 - Local Privilege Escalation"

Author

Exploit author

"Information Paradox"

Platform

Exploit platform

windows

Release date

Exploit published date

2014-11-28

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit Title: CCH Wolters Kluwer PFX Engagement <= v7.1 Local Privilege
Escalation


# Date: 11/26/14
# Exploit Author: singularitysec@gmail.com
# Vendor Homepage: www.cchgroup.com

# Version: PFX Engagement <= v7.1
# Tested on: Windows XP -> Windows 8, 2003, 2008, 2012
# CVE : 2014-9113


Product Affected:
CCH Wolters Kluwer PFX Engagement <= v7.1
This vulnerability has been reference checked this against multiple
installs. This configuration was identical across all systems and each
version encountered.
Executables/Services:

Pfx.Engagement.WcfServices
PFXEngDesktopService
PFXSYNPFTService
P2EWinService
Attack Detail:
The PFX services for engagement install with LOCAL SYSTEM service
credentials in the directory C:\PFX Engagement\

 [image: Inline image 1]


The executables that are installed, by default, allow AUTHENTICATED USERS
to modify, replace or alter the file. This would allow an attacker to
inject their code or replace the executable and have it run in the context
of the system.
[image: Inline image 2]
This would allow complete compromise of a machine on which it was
installed, giving the process LOCAL SYSTEM access to the machine in
question. An attacker can replace the file or append code to the
executable, reboot the system or restart the service and it would then
 compromise the machine. As LOCAL SYSTEM is the highest privilege level on
a machine, this allows total control and access to all parts of the system.
This affects both the server and workstation builds.

Remediation:

Remove the modify/write permissions on the executables to allow only
privileged users to alter the files.
Apply vendor patch when distributed.


Vulnerability Discovered: 11/26/2014
Vendor Notified: 11/26/2014
Vendor states this will be patched with next software update.

Website: www.information-paradox.net
This vulnerability was discovered by singularitysec@gmail.com. Please
credit the author in all references to this exploit.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-12-20 "Conarc iChannel - Improper Access Restrictions" webapps multiple "Information Paradox"
2017-12-19 "BrightSign Digital Signage - Multiple Vulnerablities" webapps hardware "Information Paradox"
2016-04-25 "CompuSource Systems Real Time Home Banking - Local Privilege Escalation" local windows "Information Paradox"
2014-12-02 "Thomson Reuters Fixed Assets CS 13.1.4 - Local Privilege Escalation" local windows "Information Paradox"
2014-11-28 "CCH Wolters Kluwer PFX Engagement 7.1 - Local Privilege Escalation" local windows "Information Paradox" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected