CVE-2019-3999 – Druva inSync Windows Client 6.5.2 - Local Privilege Escalation

https://notcve.org/view.php?id=CVE-2019-3999

Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges. La neutralización inapropiada de elementos especiales utilizados en un comando del Sistema Operativo en Druva inSync Windows Client versión 6.5.0, permite a un atacante no autenticado local ejecutar comandos arbitrarios del sistema operativo con privilegios SYSTEM. Druva inSync Windows Client version 6.5.2 suffers from a local privilege escalation vulnerability. • https://www.exploit-db.com/exploits/48400 http://packetstormsecurity.com/files/157493/Druva-inSync-Windows-Client-6.5.2-Privilege-Escalation.html http://packetstormsecurity.com/files/157680/Druva-inSync-inSyncCPHwnet64.exe-RPC-Type-5-Privilege-Escalation.html https://www.tenable.com/security/research/tra-2020-12 https://www.tenable.com/security/research/tra-2020-34 https://github.com/tenable/poc/blob/master/druva/inSync/druva_win_cphwnet64.py https://www.matteomalvica.com/blog/2020/05/21/lpe- • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •