An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. When specifying a program to elevate, it can typically be found within the Program Files (x86) folder and therefore uses the %ProgramFiles(x86)% environment variable. However, when this same policy gets pushed to a 32bit machine, this environment variable does not exist. Therefore, since the standard user can create a user level environment variable, they can repoint this variable to any folder the user has full control of. Then, the folder structure can be created in such a way that a rule matches and arbitrary code runs elevated.
oryginał ENCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HBeyondtrust Privilege Management For Windows
APPBeyondtrust5.6< 5.6
Powiązane podatności
Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint servi...
Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitim...
Prior to 25.2, a local authenticated attacker can elevate privileges on a system with Privilege Management for...
An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. When adding the Add Admin...
An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. If the publisher criteria...