SB2017053005 - Two vulnerabilities in Acunetix

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) DDL injection (CVE-ID: N/A)

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The weakness exists due to uncontrolled search path element when loading 'python3.dll' from 'C:\DLLs\'. A local attacker can load a specially crafted DLL file from 'C:\DLLs\' and execute the file with system privileges.

Successful exploitation of the vulnerability may result in full system compromise.

2) DDL injection (CVE-ID: N/A)

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The weakness exists due to improper access control. A local attacker can use C:\ProgramData\Acunetix 11 Trial\settings.ini or
C:\ProgramData\Acunetix 11 Trial\db\pg_hba.conf. file to access the PostgreSQL database server without authentication, cause the database to create a specially crafted DLL file and execute the file with system privileges.

Successful exploitation of the vulnerability may result in full system compromise.

Remediation

Install update from vendor's website.

References

• https://bogner.sh/2017/05/local-privilege-escalation-in-acunetix-11/
• https://bogner.sh/2017/05/another-local-privilege-escalation-in-acunetix-11/