______________________________________________________________________ -------------------------- NSOADV-2021-001 --------------------------- Dell Peripheral Manager Local Privilege Escalation ______________________________________________________________________ ______________________________________________________________________ Title: Dell Peripheral Manager Local Privilege Escalation Severity: high Advisory ID: NSOADV-2021-001 CVE: CVE-2021-21545 CVSS Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Date Reported: 2021-03-21 Release Date: 2021-04-01 Author: Nikolas Sotiriu Website: http://sotiriu.de Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2021-001.txt Vendor: Dell (https://www.dell.com/) Affected Products: Dell Peripheral Manager Affected Versions: <= 1.3.0 Remote Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Description: ============ During installation of the Dell Peripheral Manager the permissions for installation folder C:\ProgramData\Dell\ by default the builtin Group Users has write permission to this directory. An EXE called Dell.exe is executed from this directory with LocalSystem permissions during the Update process. This can be exploited by: a. Copy a cmd.exe to C:\ProgramData\Dell\Dell.exe b. Start the Dell Peripheral Manager and execute the Update Process. c. Profit Proof of Concept: ================= https://sotiriu.de/demos/DPMlpe.gif Solution: ========= Install Version 1.3.1 https://www.dell.com/support/kbdoc/en-us/000185100/dsa-2021-079-dell-c lient-security-update-for-dell-peripheral-manager-local-privilege-esca lation-vulnerability Disclosure Timeline: ==================== 2021-03-25: Sent vulnerability information to vendor 2021-03-25: Initial response 2021-03-26: Product team validated the finding 2021-04-01: Patch is released 2021-04-14: Release of this advisory