CVE-2018-18519

Vulnerability

BestXsoftware Best Free Keylogger versions prior to 6.0.0 (including 5.2.9) are vulnerable to a local privilege escalation due to insecure default permissions on the installation directory %PROGRAMFILES%\BFK 5.2.9\. The BUILTIN\Users group has write access to the folder, allowing any local user to modify or replace files, including syscrb.exe, an executable that is launched when a user logs in. This issue affects version 5.2.9 and likely earlier versions [1].

Exploitation

An attacker with arbitrary local privileges can replace the legitimate C:\Program Files\BFK 5.2.9\syscrb.exe with a malicious binary. When a victim user (including an administrator) logs in via RDP or console, Windows executes syscrb.exe with the logged-in user's privileges. The attacker does not need special permissions; the world-writable directory grants the necessary write access [1]. No user interaction beyond normal login is required.

Impact

A successful attack results in arbitrary code execution in the context of the victim user. The crafted binary inherits the victim's privileges, enabling the attacker to perform actions such as data theft, installation of further malware, or lateral movement within the network. This constitutes a privilege escalation from an unprivileged local attacker to any user who logs in, potentially including administrators [1].

Mitigation

The vendor released version 6.0.0 on 2019-06-01 to fix the issue, but did not respond to initial disclosure attempts. Users should upgrade to version 6.0.0 or later, available from the vendor's website [1]. No workaround is provided; manually tightening the ACL on the installation folder to remove BUILTIN\Users\Write may reduce the risk until the update is applied.