Share
## https://sploitus.com/exploit?id=PACKETSTORM:161334
# Exploit Title: Millewin - Local Privilege Escalation  
# Date: 2021-02-07  
# Author: Andrea Intilangelo  
# Vendor Homepage: https://www.millewin.it  
# Software Homepage: https://www.millewin.it/index.php/prodotti/millewin   
# Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe  
# Version: 13.39.028 โ€“ 146.1.9  
# Tested on: Microsoft Windows 10 Enterprise x64  
# CVE: CVE-2021-3394  
  
Millennium Millewin also known as "Cartella clinica"  
  
Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.  
  
Affected version: 13.39.028  
13.39.28.3342  
13.39.146.1  
-  
  
Summary (from online translator):   
Millewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management  
of the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional  
innovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial  
station. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook.  
  
Vuln desc:   
The application is prone to insecure permissions in its folders that allow unprivileged user complete control. An attacker can exploit the vulnerability by  
arbitrarily replacing file(s) invoked by service(s) or startup regkey (waiting logon from privileged user) impacted. File(s) will be executed with SYSTEM privileges.   
  
The application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of  
Millewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task.   
This allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take  
advantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot, as well as on a privileged account  
logon. If successful, the malicious file(s) would execute with elevated privileges.  
  
The application also suffers from unquoted service path issues.  
  
  
(1) Impacted executable on startup by regkey.  
Any low privileged user can elevate their privileges abusing this scenario:  
  
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  
Value name: MilleLiveUpdate  
Value data: "C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe"  
  
  
(2) Impacted services.  
Any low privileged user can elevate their privileges abusing any of these (also unquoted) services:  
  
Millewin, operazioni pianificate MillewinTaskService C:\Program Files (x86)\Millewin\GestioneTaskService.exe Auto  
PDS Server PDS Server C:\Program Files (x86)\Millewin\WatchDogService.exe Auto  
  
Details:  
  
NOME_SERVIZIO: Millewintaskservice  
TIPO : 10 WIN32_OWN_PROCESS  
TIPO_AVVIO : 2 AUTO_START  
CONTROLLO_ERRORE : 1 NORMAL  
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\GestioneTaskService.exe  
GRUPPO_ORDINE_CARICAMENTO :  
TAG : 0  
NOME_VISUALIZZATO : Millewin, operazioni pianificate  
DIPENDENZE :  
SERVICE_START_NAME : LocalSystem  
  
NOME_SERVIZIO: PDSserver  
TIPO : 10 WIN32_OWN_PROCESS  
TIPO_AVVIO : 2 AUTO_START  
CONTROLLO_ERRORE : 1 NORMAL  
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\WatchDogService.exe  
GRUPPO_ORDINE_CARICAMENTO :  
TAG : 0  
NOME_VISUALIZZATO : PDS Server  
DIPENDENZE :  
SERVICE_START_NAME : LocalSystem  
  
  
(3) Folder permissions.  
Insecure folders permissions issue:  
  
C:\Program Files (x86)\Millewin   
BUILTIN\Users:(OI)(CI)(F)  
Everyone:(OI)(CI)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)  
GENERIC_READ  
GENERIC_EXECUTE  
...[SNIP]...  
  
C:\Program Files (x86)\Millewin\MilleUpdater   
BUILTIN\Users:(OI)(CI)(ID)F  
Everyone:(OI)(CI)(ID)F  
NT SERVICE\TrustedInstaller:(ID)F  
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F  
NT AUTHORITY\SYSTEM:(ID)F  
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F  
BUILTIN\Administrators:(ID)F  
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F  
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)  
GENERIC_READ  
GENERIC_EXECUTE  
...[SNIP]...