CVE-2022-26235: Remisol Advance Normand Message Server

1. CVE-2022-26235: Remisol Advance Normand Message Server
2.  
3. A vulnerability was discovered in the Remisol Advance v2.0.12.1 and below for the Normand Message Server. On installation, the permissions set by Remisol Advance allow non-privileged users to overwrite and/or manipulate executables and libraries that run as the elevated SYSTEM user on Windows.
4.  
5. To recreate the conditions for exploitation, do the following;
6.  
7. Step 1: Obtain low-level permission to a workstation (these workstations are usually protected with a weak password, a default vendor password or no password).
8. Step 2: Replace the message server service executable (MessageServer.exe or any associated library used with the service) with a malicious or PoC binary. Note: This service and its executable may be named something else in different regions, please check the services installed in Windows.
9. Step 3: Restart the machine or service, whichever is more accessible.
10. Step 4: Your binary will be started as the SYSTEM/NT Authority user.
11.  
12. The fix is simple: correct the permissions so that every user cannot overwrite the services and make themselves a super admin on the local Windows host.
13.  
14.