Ivanti Workspace Control local privilege escalation via Named Pipe

["Securify B.V. via Fulldisclosure" <fulldisclosure () seclists org>]

------------------------------------------------------------------------
Ivanti Workspace Control local privilege escalation via Named Pipe
------------------------------------------------------------------------
Yorick Koster, August 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that Ivanti Workspace Control allows a local (unprivileged)
attacker to run arbitrary commands with Administrator privileges. This
issue can be exploited by spawning a new Composer process, injecting a
malicious thread in this process. This thread connects to a Named Pipe
and sends an instruction to a service to launch an attacker-defined
application with elevated privileges.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.700.1 & 10.2.950.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was resolved in Ivanti Workspace Control version 10.3.10.0.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180802/ivanti-workspace-control-local-privilege-escalation-via-named-pipe.html


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/