Executive Summary

This vulnerability exists in iMonitor EAM 9.6394 where a system service (eamusbsrv64.exe) runs with high privileges (NT AUTHORITY\SYSTEM). The service automatically loads files from the C:\sysupdate\ directory during startup. Since any local user can write to this directory, an attacker can place malicious files there. When the service restarts, it moves and executes these files with SYSTEM privileges, allowing the attacker to escalate their privileges on the system.

Useful 0 Not Useful 0

Impact Analysis

An attacker with local access can exploit this vulnerability to execute malicious code with SYSTEM-level privileges. This means they can gain full control over the affected system, potentially installing malware, stealing data, or disrupting system operations.

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking for the presence of the eamusbsrv64.exe service running with SYSTEM privileges and inspecting the C:\sysupdate\ directory for any unauthorized or suspicious files. Commands to help detect this include: 1) To check the service: 'sc query eamusbsrv64' or 'Get-Service -Name eamusbsrv64' (PowerShell). 2) To list files in the update directory: 'dir C:\sysupdate\' or 'Get-ChildItem C:\sysupdate\' (PowerShell). 3) To check file ownership and permissions in that directory to see if non-administrative users have write access. Monitoring for unexpected files or changes in this directory can indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting write permissions on the C:\sysupdate\ directory to prevent unprivileged users from placing files there, stopping and disabling the eamusbsrv64.exe service if it is not required, and monitoring the directory for unauthorized files. Additionally, consider applying any available patches or updates from the vendor that address this insecure update mechanism.

Useful 0 Not Useful 0