CVE-2020-27228
An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3. Overwriting the binary can result in privilege escalation. An attacker can replace a file to exploit this vulnerability.
OpenClinic GA 5.173.3
https://sourceforge.net/projects/open-clinic/
8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-276 - Incorrect Default Permissions
OpenClinic GA is an open source fully integrated hospital management solution.
OpenClinic GA 5.173.3 is installed in “C:\projects\openclinic" directory (it currently does not allow installation in another directory) and it allows “Authenticated Users” to have change privilege over “OpenClinicMySQL” service binary file in the directory which are executed with NT SYSTEM authority. This allows users of any authenticated group to read, write or modify arbitrary files in the install directory resulting in privilege escalation when service is restarted.
c:\projects\openclinic\mysql5\bin\mysqld.exe
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
2020-11-19 - Initial contact
2020-12-07 - 2nd contact; copy of advisories issued and vendor acknowledged receipt
2021-02-01 - 60 day follow up; no response
2021-03-09 - 90 day follow up; no response
2021-03-22 - Final notice
Discovered by Yuri Kramarz of Cisco Talos.