Affected product and version: Supremo Remote Desktop version 4.1.3
Fixed version: Supremo Remote Desktop version 4.2.0
Assigned CVE: CVE-2020-26949
A quick privesc vulnerability I found in a small remote desktop application called Supremo.
Supremo runs a service executable from "C:\Program Files (x86)\Supremo\SupremoService.exe" in the context of "NT Authority/SYSTEM". Supremo also has en small tray application where the application can be controlled and configured.
If an user exits the tray application, the executable "Supremo.exe"(running as NT Authority/SYSTEM) will restart and during this restart it will delete the directory "C:\Windows\Temp\Supremo.madExcept" and all files and directories inside.
After this the "Supremo.exe" executable will load a DLL called "openh264-win32.dll" from "C:\Windows\Temp\Supremo\[USER ID]\". The permissions for the DLL-file only allows for low privilege users to read it. However its parent directory allows all users to create new files.
By using James Forshaw symboliclinktestingtools and manually creating the "Supremo.madExcept" and thereafter creating a mountpoint from "C:\Windows\Temp\Supremo.madExcept" to "C:\Windows\Temp\Supremo\[USERID]", we could force the "Supremo.exe" executable to delete the "openh264-win32.dll" and quickly replace it with our own malicious..
Malicious DLL executing a "cmd.exe /c whoami > C:\pwn.txt" as NT Authority/SYSTEM.