Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Selea CarPlateServer (CPS) - Local Privilege Escalation


Recommended Posts

# Exploit Title: Selea CarPlateServer (CPS) - Local Privilege Escalation
# Date: 08.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com

Selea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation

Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version:

Summary: Our CPS (Car Plate Server) software is an advanced solution that can
be installed on computers and servers and used as an operations centre. It can
create sophisticated traffic control and road safety systems connecting to
stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert
notifications directly to tablets or smartphones, it can receive and transfer
data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution
that offers full integration with main video surveillance software. Our CPS
software connects to the national operations centre and provides law enforcement
authorities with necessary tools to issue alerts. CPS is designed to guarantee
cooperation among different law enforcement agencies. It allows to create a
multi-user environment that manages different hierarchy levels and the related
division of competences.

Desc: The application suffers from an unquoted search path issue impacting the
service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software
application. This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the system
root path undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If successful, the
local user's code would execute with the elevated privileges of the application.

Tested on: Microsoft Windows 10 Enterprise

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2021-5621
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php



C:\Users\Smurf>sc qc "Selea CarPlateServer"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Selea CarPlateServer
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Selea CarPlateServer
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Link to post
Link to comment
Share on other sites


discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    • Create New...