Executive Summary

This vulnerability in Wondershare MirrorGo 2.0.11.346 is a local privilege escalation issue caused by incorrect file permissions on executable files. Specifically, unprivileged local users can replace the ElevationService.exe file, which runs with LocalSystem privileges, with a malicious executable. This allows them to execute arbitrary code with the highest system privileges, effectively escalating their access rights on the affected system. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

Exploiting this vulnerability allows an attacker with local access to escalate their privileges to LocalSystem level, which is the highest privilege on a Windows system. This means they can execute arbitrary code with full control over the system, potentially leading to complete system compromise, unauthorized access to sensitive data, and disruption of system availability. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking the file permissions of the executable files in the Wondershare MirrorGo installation directory, especially ElevationService.exe. On a Windows system, use the command: icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe" to view the permissions. If the permissions grant full control to the "Everyone" group or other unprivileged users, the system is vulnerable. [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the file permissions on the affected executables, particularly ElevationService.exe, to prevent unprivileged users from modifying them. This can be done by removing full control permissions from the "Everyone" group and ensuring only trusted administrators have write access. Additionally, consider stopping and disabling the ElevationService service until a patched version is available. [1, 3]

Useful 0 Not Useful 0