Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation# CVE-2024-27674
Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation
### Description:
Insecure Permissions vulnerability in Macro Expert 4.9.4 and versions below allows a local unprivileged attacker to execute arbitrary code as SYSTEM via a crafted script by replacing the MacroService.exe binary existing within a controllable path.
### Impacted service(s)
servicename: Macro Expert
Path permission: c:\program files (x86)\grasssoft\macro expert
### ACL Permissions
```
C:\>icacls "C:\Program Files (x86)\GrassSoft\Macro Expert"
C:\Program Files (x86)\GrassSoft\Macro Expert BUILTIN\Users:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
```
### Attack Vector
Files in this path can be modified by unprivileged users, malicious process and/or threat actor.
And the service "Macro Expert" which runs under SYSTEM context, will invoke the "MacroService.exe" in this directory.
If a malicious user replaces the executable named "MacroService.exe" within this directory, the service will inadvertently execute these malicious binaries upon reboot, running them with SYSTEM privileges.
#### Discovered by:
Alaa Kachouh
[4.0K] /data/pocs/126eb1f19a5392558497e0f9d0c5f3dcffa2883b
└── [2.0K] README.md
0 directories, 1 file