ACTIVE-2020-004: IDrive Local Privilege Escalation (CVE-2020-15351)

Vulnerability Type:
Privilege Escalation
Vendors:
IDrive Inc.
CVE ID:
CVE-2020-15351
Affected Products:

• IDrive for Windows prior to version 6.7.3.19

Summary:
​IDrive for Windows prior to version 6.7.3.19 installs by default to “C:\Program Files(x86)\IDriveWindows” with weak folder permissions granting any user modify permission “NT AUTHORITY\Authenticated Users:(OI)(CI)(M)” to the contents of the directory and it's sub-folders. In addition, the program installs a service called “IDriveService” which runs as Local system, this will allow any standard user to escalate privileges to “NT AUTHORITY\SYSTEM” by substituting the service's binary with malicious one.

Mitigation:
The vendor has released a patch in version 6.7.3.19 addressing this vulnerability.
Credit:
​This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:

• https://www.idrive.com/release-info#win

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15351

• https://nvd.nist.gov/vuln/detail/CVE-2020-15351

Disclosure Timeline:

• 06-15-20: ACTIVELabs contacted IDrive support requesting security contact and PGP key

• 06-15-20: IDrive support requested to share the report with them so they can forward it to the appropriate department

• 06-16-20: ACTIVELabs sent security vulnerability report

• 06-18-20: IDrive support shared a patch and requested to test it

• 06-19-20: ACTIVELabs confirmed the patch has nullified the vulnerability and requested timeline for patch release

• 06-22-20: IDrive support stated the patch will be pushed into production by mid of next week

• 06-25-20: IDrive version 6.7.3.19 released

• 06-26-20: ACTIVELabs publishes this advisory

• 06-26-20: ACTIVELabs request CVE from MITRE

• 06-26-20: CVE-2020-15351 assigned