Subject: Local Privilege Escalation  
Product: SUPREMO by Nanosystems S.r.l.  
Vendor Homepage:  
Vendor Status: fixed version released  
Vulnerable Version: (No other version was tested, but it is  
believed for the older versions to be also vulnerable.)  
Fixed Version:  
CVE Number: CVE-2020-25106  
Authors: Victor Gil (A2SECURE) Adan Alvarez (A2SECURE)  
Vulnerability Description  
Allows attackers to obtain LocalSystem access because when running as a  
service File Manager allows modifying files with system privileges. This  
can be used by an adversary to, for example, rename Supremo.exe and then  
upload a trojan horse with the Supremo.exe filename.  
Proof of Concept  
To exploit this vulnerability Supremo should be running as a service. Then  
follow the following steps:  
- Connect to Supremo from a different machine.  
- Open File manager.  
- Go to the directory where the Supremo executable is located.  
- Modify the name of the executable.  
- Upload a malicious executable and rename it to Supremo.exe  
- Close supremo.  
After these steps, as supremo is running as a service, the service  
executes, as System, the executable allowing an attacker to elevate  
privileges to System.  
The vendor provides an updated version (  
2020-07-13 Disclosed to Vendor  
2020-10-19 Vendor releases the final patch  
2020-12-21 Advisory released  
*Adan 脕lvarez*  
Security Consultant  
+34 933 945 600  
QSA auditors - Pentesting - Security Consultancy - Forensic   
Analysis - PCI Consultancy - Malware Analysis - Incident Response -   
Security Office - Security Training - Employee Security Awareness  
mensaje de correo electr贸nico y sus archivos adjuntos son confidenciales y   
est谩n legalmente protegidos. Se dirige exclusivamente al destinatario o   
destinatarios. No est谩 autorizado el acceso a este mensaje por otras   
personas. Si Vd. no es la persona a la que va dirigido este email,   
cualquier uso est谩 prohibido y es ilegal. As铆mismo, de acuerdo al   
Reglamento EU 2016/679 sobre Protecci贸n de Datos Personales, le informamos   
que su direcci贸n e-mail forma parte de los ficheros de las empresas de   
A2secure, S.L. (A2SECURE) con CIF: B65040107, porque en su momento nos   
autoriz贸 el tratamiento para mantener una relaci贸n comercial y/o   
informativa de nuestros productos y servicios; Usted puede ejercer en   
cualquier momento sus derechos de acceso, rectificaci贸n, supresi贸n,   
limitaci贸n y oposici贸n dirigi茅ndose por escrito a Avda. Francesc Cambo 21,   
10, 08003 Barcelona. Tel.: +34 93 3945600, Email:   
<>. Si ha recibido este mensaje por error, por   
favor, destr煤yalo y notif铆quelo. Gracias.  
This message and its annexed   
files may contain confidential information which is exclusively for the use   
of the addressee. Access to this message by other people is not authorized.   
If you are not the person to whom it is addressed, any use, treatment,   
information, copy or distribution and any action or omission based on the   
information contained in this message are strictly forbidden and illegal.   
According to Regulation EU 2016/679 on Protection of Personal Data, we   
inform you that your e-mail address is part of the files of the companies   
of A2secure, S.L. (A2SECURE) with CIF: B65040107, because at some moment   
you authorized us the treatment to maintain a commercial and / or   
informative relationship of our products and services; You can exercise   
your rights of access, rectification, erasure, restriction and object at   
any time by writing to Avda. Francesc Cambo 21, 10, 08003 Barcelona. Tel .:   
+34 93 3945600, Email: <>. If you   
have received this message by mistake, please destroy it and notify it.   
Thank you.