CVE-2020-13541
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on systems running Mobile-911 Server V2.5 by exploiting weak file system permissions in the installation directory. Attackers can overwrite service executables or other files to execute arbitrary code with SYSTEM privileges. Only users running the vulnerable Mobile-911 Server version are affected.
💻 Affected Systems
- Mobile-911 Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, or pivot to other systems.
Likely Case
Local privilege escalation leading to unauthorized administrative access, data theft, or lateral movement within the network.
If Mitigated
Limited impact with proper file permissions and access controls preventing unauthorized file modifications.
🎯 Exploit Status
Exploitation requires local access to the system but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V2.6 or later
Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1151
Restart Required: Yes
Instructions:
1. Download and install Mobile-911 Server V2.6 or later from the official vendor. 2. Uninstall the vulnerable V2.5 version. 3. Restart the system to ensure clean service startup.
🔧 Temporary Workarounds
Restrict File Permissions
windowsManually set proper file system permissions on the Mobile-911 Server installation directory to prevent unauthorized modifications.
icacls "C:\Program Files\Mobile-911 Server" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Remove Unnecessary User Access
windowsEnsure only authorized administrators have write access to the installation directory.
icacls "C:\Program Files\Mobile-911 Server" /remove:g "Users" /T
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized file modifications in the installation directory.
- Isolate the vulnerable system from critical network segments and implement application whitelisting.
🔍 How to Verify
Check if Vulnerable:
Check if Mobile-911 Server V2.5 is installed and verify file permissions on the installation directory allow write access to non-administrative users.Check Version:
Check the version in the application's About dialog or examine the executable properties.Verify Fix Applied:
Confirm installation of V2.6 or later and verify that file permissions restrict write access to SYSTEM and Administrators only.📡 Detection & Monitoring
Log Indicators:
- Windows Event Log entries showing file modifications in the Mobile-911 Server directory by non-administrative users
- Unexpected service restarts or process creations from the Mobile-911 Server directory
Network Indicators:
- Unusual outbound connections from the Mobile-911 Server system following local privilege escalation
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Mobile-911 Server%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')