Thursday, June 4, 2009

Getting Closer to God with Privilege Escalation

Whilst assessing vulnerabilities in the PC build I have I found the following. Now I
always get pissed off when I hear people rattle on about the AT command and using that
to get a SYSTEM shell. In my experience after XP SP2 you’re required to be an admin
to run AT, so what’s the point really?

So rather than just focussing on holes in the Microsoft system, which frankly I'm not
really talented enough to find much there, I decided to look at the configuration and
implementation. In my opinion I would have much better luck looking for mistakes
made by people not necessarily trying to secure a system but more trying to get a system
to work.

In this post I'll focus a common mistake made by the guys who build the system which
allows a standard user to escalate to have full system privileges.

Looking at Services

It would be nice to use WMIC to look for services that are in a directory that I can write
to and that start automatically:

wmic service get name,startmode,pathname | find /i "auto"

However, when trying to run WMIC I get an error telling me that I need to be a member
of the Administrators group. I could just go to the Services.msc but this means that I
have to go through each service to get that path to the executable. A better tool I found
for this is MSInfo32.exe

As can be seen in the screenshot I can quickly scan down the autostarted services for
ones that have paths that I can write to. I also need the service to be running with an
account with some decent privileges.

OK, VNC looks pretty good.

I go to the directory that VNC runs from and rename the executable. I copy
Taskmgr.exe from System32 to the VNC directory and rename it as the VNC
executable.
After a restart I see that I have no VNC in the system tray, so I go to the Services.msc
and start it. Task Manager starts up for about a minute and then closes. Ok, that’s good.
I start the service again and quickly launch a command shell before it closes, great now
I have my system command shell. From here I can add accounts, change settings, install
software etc... But maybe I want my full desktop. I launch Taskmgr.exe from the
command shell, kill explorer from the process list and the launch explorer from File
menu. Fantastic, I have a whole desktop running as System, now I really am closer to
god!

Posted by SynJunkie
Labels: Privilege Escalation

9 comments:

Rob Fuller (mubix) said...

This method is actually going to be a part of my ToorCamp talk. And as far as

WMIC not working. That's only a XP problem. Vista and 7 allows you to run it.
Does it still give you that error if WMIC has been installed on XP by an admin?
I know it autoinstalls after the first run.

June 10, 2009 4:44 PM

SynJunkie said...

Hey Rob.

The PC i was testing on was an XP SP2 PC. I was testing it with a user account
that was a member of Power Users but not Local Administrators. WMIC had
previously been run on that PC.
I never tested any further as I was just looking at my standard build and nothing
else.

Hope that helps.

Good luck with the talk. Hopefully you'll make it available from Room362.
 June 10, 2009 6:54 PM

Rob Fuller (mubix) said...

If they record it, I will definitely make it available. Might just take my own
vcam just in case since you made me think of it.

So testing on Vista and Windows 7, standard user can't alter anything in

Program Files, so you would have to do that offline, but at that point you would
do better just to copy cmd.exe to and overwriting utilman.exe in system32.
Backing up of course the original.

But, doing that doesn't apply to a remote privilege escalation very well.
However there are ways of making windows do things after boot. ;-)

June 10, 2009 8:27 PM

SynJunkie said...

Sounds like your talk is going to be pretty good. I'll keep an eye out for it.

I'll be looking into other implementation failures in the PC build when I'm
finished getting to grips with some SQL Injection for A Web App I'm looking at.

June 10, 2009 8:55 PM

Anonymous said...

hey Syn,
don't know if it's any interesting but I thought, it could be useful too as you are
talking about xp sp2. Andres Tarasco from www.haxorcitos.com released
srvcheck which makes use of service implementation failures

http://www.haxorcitos.com/ficheros.html#SRVCHECK2

By the way, I often see things like xampp on windows web development
machines. xampp is always running under LocalSystem, so it's xampp which lets
you add another user to the local admin group through php.

greetz, Markus

June 13, 2009 4:36 PM

mneis said...

hey Syn,

not sure if it helps, but with a little commandline kungfu you can get what you
need
 (sc query state= all | findstr /i "service_name" > f:\enum\services & for /f
"tokens=2,3" %i in (f:\enum\services) do @sc qc %i | findstr /i "service_name
auto_start binary_path_name") & del f:\enum\services

it's dirty, but it works ;-)

By the way, for privilege escalation is still a tool out there from Andres Tarasco

http://www.haxorcitos.com/ficheros.html#SRVCHECK2

pretty old, but in some situations pretty good, either ;-)

cheers and thx for all your great work

Markus

June 13, 2009 7:49 PM

SynJunkie said...

Hey Markus

Thanks for the comments. I did try to use SC for getting the detail on services
but I couldn't get to what I wanted with it. I'll be sure to give your suggestion a
try.

And thanks for the link to tool.

Cheers

Syn

June 14, 2009 10:42 PM

mneis said...

Hey Syn,
while browsing in my tools for some access enumeration I found this:

Sysinternals accesschk.exe

Option -c =
Name is a Windows Service e.g. ssdpsrv. Specify '*' as the
name to show all services and 'scmanager' to check the security

you will love accesschk.exe -c *

it gives you the name of the service and the permissions who can change them.
Guess what I found on almost any machine for some services:
 RW Everybody :)

Regards,

Markus

August 3, 2009 9:55 PM

SynJunkie said...

Fantastic tip, cheers mate. I'll look into that. I love sysinternals tools.

August 3, 2009 10:20 PM

Post a Comment

Newer Post Older Post Home

Subscribe to: Post Comments (Atom)