ACTIVE-2020-004: IDrive Local Privilege Escalation (CVE-2020-15351)

Vulnerability Type:
Privilege Escalation
Vendors:
IDrive Inc.
CVE ID:
CVE-2020-15351
Affected Products:

• IDrive for Windows prior to version 6.7.3.19

Summary:
​IDrive for Windows prior to version 6.7.3.19 installs by default to “C:\Program Files(x86)\IDriveWindows” with weak folder permissions granting any user modify permission “NT AUTHORITY\Authenticated Users:(OI)(CI)(M)” to the contents of the directory and it's sub-folders. In addition, the program installs a service called “IDriveService” which runs as Local system, this will allow any standard user to escalate privileges to “NT AUTHORITY\SYSTEM” by substituting the service's binary with malicious one.

Mitigation:
The vendor has released a patch in version 6.7.3.19 addressing this vulnerability.
Credit:
​This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:

• https://www.idrive.com/release-info#win
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15351
• https://nvd.nist.gov/vuln/detail/CVE-2020-15351

Disclosure Timeline:

• 06-15-20: ACTIVELabs contacted IDrive support requesting security contact and PGP key
• 06-15-20: IDrive support requested to share the report with them so they can forward it to the appropriate department
• 06-16-20: ACTIVELabs sent security vulnerability report
• 06-18-20: IDrive support shared a patch and requested to test it
• 06-19-20: ACTIVELabs confirmed the patch has nullified the vulnerability and requested timeline for patch release
• 06-22-20: IDrive support stated the patch will be pushed into production by mid of next week
• 06-25-20: IDrive version 6.7.3.19 released
• 06-26-20: ACTIVELabs publishes this advisory
• 06-26-20: ACTIVELabs request CVE from MITRE
• 06-26-20: CVE-2020-15351 assigned