6.8 - VU#124289

Executive Summary

Summary
Title	Nik Software Sharpener Pro vulnerable to privilege escalation

Informations
Name	VU#124289	First vendor Publication	2008-03-28
Vendor	VU-CERT	Last vendor Modification	2008-03-28
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score	6.8	Attack Range	Local
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	3.1	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#124289

Nik Software Sharpener Pro vulnerable to privilege escalation

Overview

The Nik Software Shapener Pro installs files with insecure permissions, which may allow a local attacker to elevate privileges.

I. Description

Nik Software Sharpener Pro is an Adobe Photoshop plug-in that provides image sharpening capabilities. The Nik Software Sharpener Pro installer sets insecure permissions on the plug-in files. The plug-ins can contain executable code, yet they are world-writable.

II. Impact

An unprivileged user may be able to modify files that can be executed by other users, which can allow privilege escalation.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround:

Remove write access to the Nik Sharpener plug-in files

By removing the ability of the "other" group to write to the plug-in files, this vulnerability can be mitigated.

Systems Affected

Vendor	Status	Date Updated
Nik Software	Vulnerable	28-Mar-2008

References

http://www.securityfocus.com/bid/27707/info

Credit

Thanks to Vlad Didenko for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public	02/09/2008
Date First Published	03/28/2008 02:42:49 PM
Date Last Updated	03/28/2008
CERT Advisory
CVE Name
US-CERT Technical Alerts
Metric	0.77
Document Revision	3

Original Source

Url : http://www.kb.cert.org/vuls/id/124289

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Type	Description	Count
Application	Nik Software Inc Nik Sharpener Pro cpe:2.3:a:nik_software_inc:nik_sharpener_pro:2.0::inkjet:::::	1

Open Source Vulnerability Database (OSVDB)

Id	Description
43924	Sharpener Pro for Adobe Photoshop Installation Permission Weakness Local Priv...

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	1
osvdb(s)	1

	Related
6.8	CVE-2008-1638
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)