CVE-2022-24139

Published: Jul 6, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In IOBit Advanced System Care (AscService.exe) 15, an attacker with SEImpersonatePrivilege can create a named pipe with the same name as one of ASCService's named pipes. ASCService first tries to connect before trying to create the named pipes, because of that during login the service will try to connect to the attacker which will lead to either escalation of privileges (through token manipulation and ImpersonateNamedPipeClient() ) from ADMIN -> SYSTEM or from Local ADMIN-> Domain ADMIN depending on the user and named pipe that is used.

Affected (2)

Products: Iobit: Advanced System Care

1 product

Advanced System Care

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Iobit Advanced System Care	Version 15
Iobit Advanced System Care	Version 15

Related CWEs

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (6)

http://advanced.com

Source: cve@mitre.org

Not Applicable

http://iobit.com

Source: cve@mitre.org

Vendor Advisory

https://github.com/tomerpeled92/CVE/

Source: cve@mitre.org

Third Party Advisory

http://advanced.com

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

http://iobit.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/tomerpeled92/CVE/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.