CVE-2023-26918
📋 TL;DR
CVE-2023-26918 is a privilege escalation vulnerability in Diasoft File Replication Pro 7.5.0 where the installation directory has overly permissive 'Everyone: Full Control' permissions. Attackers can replace legitimate files with malicious ones that execute with LocalSystem privileges. This affects all users running the vulnerable version of File Replication Pro.
💻 Affected Systems
- Diasoft File Replication Pro
📦 What is this software?
File Replication Pro by Filereplicationpro
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation from a lower-privileged user account to LocalSystem, enabling installation of backdoors, credential dumping, and lateral movement.
If Mitigated
Limited impact if proper file permissions are enforced and least privilege principles are followed.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is simple to exploit by replacing files in the insecure directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.filereplicationpro.com
Restart Required: No
Instructions:
No official patch available. Apply workarounds to secure file permissions.
🔧 Temporary Workarounds
Secure File Permissions
windowsRemove 'Everyone: Full Control' permissions from the File Replication Pro installation directory and set appropriate permissions.
icacls "%ProgramFiles%\FileReplicationPro" /remove Everyone /T
icacls "%ProgramFiles%\FileReplicationPro" /grant Administrators:(OI)(CI)F /T
icacls "%ProgramFiles%\FileReplicationPro" /grant SYSTEM:(OI)(CI)F /T
🧯 If You Can't Patch
- Restrict local access to systems running File Replication Pro to trusted users only.
- Monitor the FileReplicationPro directory for unauthorized file modifications using file integrity monitoring tools.
🔍 How to Verify
Check if Vulnerable:
Check permissions on %ProgramFiles%\FileReplicationPro directory using: icacls "%ProgramFiles%\FileReplicationPro"Check Version:
Check the software version in the application interface or installation directory properties.Verify Fix Applied:
Verify that 'Everyone' group no longer has Full Control permissions on the directory and subdirectories.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4663 (File system access) showing unauthorized writes to FileReplicationPro directory
- Unexpected processes running as LocalSystem originating from FileReplicationPro directory
Network Indicators:
- Unusual outbound connections from the system running File Replication Pro
SIEM Query:
source="Windows Security" EventID=4663 ObjectName="*FileReplicationPro*" AccessMask="0x100"🔗 References
- http://packetstormsecurity.com/files/171879/File-Replication-Pro-7.5.0-Insecure-Permissions-Privilege-Escalation.html
- https://www.filereplicationpro.com
- http://packetstormsecurity.com/files/171879/File-Replication-Pro-7.5.0-Insecure-Permissions-Privilege-Escalation.html
- https://www.filereplicationpro.com
