Executive Summary

CVE-2019-25608 is a privilege escalation vulnerability in Iperius Backup version 6.1.0 that allows low-privilege users to execute arbitrary programs with elevated privileges.

The vulnerability arises because low-privilege users can create backup jobs that specify programs or batch files to run before or after backup operations. These programs run with the privileges of the Iperius Backup Service account, which operates under Local System or Administrator privileges.

An attacker with local low-privilege access can exploit this by creating a malicious backup job that runs a harmful program, such as a batch file launching a reverse shell, thereby gaining elevated code execution rights.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with low-level local access to escalate their privileges to Local System or Administrator level on the affected machine.'}, {'type': 'paragraph', 'content': 'By exploiting this flaw, attackers can execute arbitrary code with elevated privileges, potentially gaining full control over the system, accessing sensitive data, installing malware, or disrupting system operations.'}, {'type': 'paragraph', 'content': "The exploit can lead to a complete compromise of the affected system's confidentiality, integrity, and availability."}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if low-privilege users have the ability to create or modify backup jobs in Iperius Backup 6.1.0, which run with elevated privileges.'}, {'type': 'paragraph', 'content': 'One way to detect potential exploitation is to look for backup jobs configured to execute programs or batch files before or after backup operations.'}, {'type': 'paragraph', 'content': "Suggested commands include inspecting the permissions on the folder c:\\ProgramData\\IperiusBackup to see if the 'Everyone' group has write permissions, which would allow unauthorized users to create or modify backup jobs."}, {'type': 'list_item', 'content': 'On Windows, use the command: icacls "c:\\ProgramData\\IperiusBackup"'}, {'type': 'list_item', 'content': 'Check for suspicious backup job configurations or batch files that may be set to run before or after backup operations.'}, {'type': 'list_item', 'content': 'Look for unexpected or unauthorized batch files or executables in the backup job definitions.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate this vulnerability, immediately remove the 'Everyone' permission from the folder c:\\ProgramData\\IperiusBackup to restrict unauthorized users from creating or modifying backup jobs."}, {'type': 'paragraph', 'content': 'This prevents low-privilege users from exploiting the backup job feature to execute arbitrary code with elevated privileges.'}, {'type': 'paragraph', 'content': 'Additionally, review and restrict permissions on the Iperius Backup service and related files to ensure only trusted administrators have access.'}, {'type': 'paragraph', 'content': 'Consider monitoring backup job configurations for any unauthorized changes or suspicious entries.'}] [1]

Useful 0 Not Useful 0