---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Supremo Remote Desktop Control privilege escalation

Url : https://www.supremocontrol.com/
      https://www.nanosystems.it/

File: Supremo.exe
Ver.: 3.3.1.935
MD5 : 9528d2844e33f043fef3c7e07f2f86cb

From website "Supremo is a powerful, easy and complete solution for remote desktop control and support. It allows you to access a remote PC or host a Meeting in just a few seconds."
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vul.: Privilege escalation

Des.: When you run Supremo.exe a new folder "SupremoRemoteDesktop" is created under %Temp% with insecure permissions

C:\Users\test\AppData\Local\Temp>icacls SupremoRemoteDesktop
SupremoRemoteDesktop Everyone:(OI)(CI)(F)

and try to load some dll from this folder, eg.:

C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\olepro32.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\winsta.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\utildll.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\NETAPI32.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\netutils.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\srvcli.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\wkscli.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\LOGONCLI.DLL
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\BROWCLI.DLL
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\SAMCLI.DLL
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\ntmarta.dll
C:\Users\test\AppData\Local\Temp\SupremoRemoteDesktop\SspiCli.dll

this mean that an unprivilege user can put a malicious dll into "SupremoRemoteDesktop" folder to escalate privilege.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Exploit:

1) Bob (administrator) run Supremo
2) Insecure folder is created in C:\Users\Bob\AppData\Local\Temp\SupremoRemoteDesktop\
3) Alice (standard user) copy a crafted utildll.dll under C:\Users\Bob\AppData\Local\Temp\SupremoRemoteDesktop\
4) Bob use again Supremo
5) Supremo load C:\Users\Bob\AppData\Local\Temp\SupremoRemoteDesktop\utildll.dll

Result: system compromised.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Time table:

2018-03-23 -> Request, using https://www.supremocontrol.com/contacts/, how to report a vulnerability to Supremo
2018-03-23 -> Automatic ticket nr. 15966 created by Supremo
2018-03-23 -> Supremo asks for more details
2018-03-23 -> More details and a video sent to Supremo
2018-03-26 -> Supremo starts investigation
2018-04-04 -> Supremo confirms that the vulnerability will be patched next release
2018-04-17 -> Supremo released the patch
2018-04-17 -> Check if the new release is still vulnerable. It's not
2018-04/17 -> Public disclosure

A video of the vulnerability is available here http://shinnai.altervista.org/exploits/supremo_video.rar
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------