AS-24873 Vulnerability issue for ZDI-CAN-26850

Review Request #1501 — Created June 4, 2026 and updated — Latest diff uploaded

jasonchou
AG
rel_ag_9_4_5
DEX-71
evalin

The product defines a DCOM application named ArrayInstallManager, CLSID C0E366E5-AD8D-481F-9639-87B4F8F4737F. Local launch and local activation permissions are granted to Everyone. The application is served by the VPNInstallManager service, running as SYSTEM. The application exposes a COM object, ArrayInstallManager.InstallManager.1, CLSID CB33EE85-E9E2-4167-AF1D-A65194B287CB, which exposes a dispatch interface IInstallManager. This interface contains several methods that perform highly privileged operations that can be used for privilege escalation. In particular, CopyFileToLocal can be used in a straightforward fashion by a low-privileged attacker to drop an arbitrary file to an arbitrary location in the context of SYSTEM, leading to local privilege escalation to SYSTEM. The interface contains various other methods that may also be used for local privilege escalation.



    Loading...