Thursday, June 4, 2009

Getting Closer to God with Privilege Escalation

Whilst assessing vulnerabilities in the PC build I have I found the following. Now I always get pissed off when I hear people rattle on about the AT command and using that to get a SYSTEM shell. In my experience after XP SP2 you’re required to be an admin to run AT, so what’s the point really?

So rather than just focussing on holes in the Microsoft system, which frankly I'm not really talented enough to find much there, I decided to look at the configuration and implementation. In my opinion I would have much better luck looking for mistakes made by people not necessarily trying to secure a system but more trying to get a system to work.

In this post I'll focus a common mistake made by the guys who build the system which allows a standard user to escalate to have full system privileges.


Looking at Services

It would be nice to use WMIC to look for services that are in a directory that I can write to and that start automatically:

wmic service get name,startmode,pathname | find /i "auto"

However, when trying to run WMIC I get an error telling me that I need to be a member of the Administrators group. I could just go to the Services.msc but this means that I have to go through each service to get that path to the executable. A better tool I found for this is MSInfo32.exe



As can be seen in the screenshot I can quickly scan down the autostarted services for ones that have paths that I can write to. I also need the service to be running with an account with some decent privileges.

OK, VNC looks pretty good.

I go to the directory that VNC runs from and rename the executable. I copy Taskmgr.exe from System32 to the VNC directory and rename it as the VNC executable.



After a restart I see that I have no VNC in the system tray, so I go to the Services.msc and start it. Task Manager starts up for about a minute and then closes. Ok, that’s good. I start the service again and quickly launch a command shell before it closes, great now I have my system command shell. From here I can add accounts, change settings, install software etc... But maybe I want my full desktop. I launch Taskmgr.exe from the command shell, kill explorer from the process list and the launch explorer from File menu. Fantastic, I have a whole desktop running as System, now I really am closer to god!

11 comments:

Rob Fuller (mubix) said...

This method is actually going to be a part of my ToorCamp talk. And as far as WMIC not working. That's only a XP problem. Vista and 7 allows you to run it. Does it still give you that error if WMIC has been installed on XP by an admin? I know it autoinstalls after the first run.

SynJunkie said...

Hey Rob.

The PC i was testing on was an XP SP2 PC. I was testing it with a user account that was a member of Power Users but not Local Administrators. WMIC had previously been run on that PC.
I never tested any further as I was just looking at my standard build and nothing else.

Hope that helps.

Good luck with the talk. Hopefully you'll make it available from Room362.

Rob Fuller (mubix) said...

If they record it, I will definitely make it available. Might just take my own vcam just in case since you made me think of it.

So testing on Vista and Windows 7, standard user can't alter anything in Program Files, so you would have to do that offline, but at that point you would do better just to copy cmd.exe to and overwriting utilman.exe in system32. Backing up of course the original.

But, doing that doesn't apply to a remote privilege escalation very well. However there are ways of making windows do things after boot. ;-)

SynJunkie said...

Sounds like your talk is going to be pretty good. I'll keep an eye out for it.

I'll be looking into other implementation failures in the PC build when I'm finished getting to grips with some SQL Injection for A Web App I'm looking at.

Anonymous said...

hey Syn,
don't know if it's any interesting but I thought, it could be useful too as you are talking about xp sp2. Andres Tarasco from www.haxorcitos.com released srvcheck which makes use of service implementation failures

http://www.haxorcitos.com/ficheros.html#SRVCHECK2

By the way, I often see things like xampp on windows web development machines. xampp is always running under LocalSystem, so it's xampp which lets you add another user to the local admin group through php.

greetz, Markus

mneis said...

hey Syn,

not sure if it helps, but with a little commandline kungfu you can get what you need

(sc query state= all | findstr /i "service_name" > f:\enum\services & for /f "tokens=2,3" %i in (f:\enum\services) do @sc qc %i | findstr /i "service_name auto_start binary_path_name") & del f:\enum\services

it's dirty, but it works ;-)

By the way, for privilege escalation is still a tool out there from Andres Tarasco

http://www.haxorcitos.com/ficheros.html#SRVCHECK2

pretty old, but in some situations pretty good, either ;-)

cheers and thx for all your great work

Markus

SynJunkie said...

Hey Markus

Thanks for the comments. I did try to use SC for getting the detail on services but I couldn't get to what I wanted with it. I'll be sure to give your suggestion a try.

And thanks for the link to tool.

Cheers

Syn

mneis said...

Hey Syn,
while browsing in my tools for some access enumeration I found this:

Sysinternals accesschk.exe

Option -c =
Name is a Windows Service e.g. ssdpsrv. Specify '*' as the
name to show all services and 'scmanager' to check the security

you will love accesschk.exe -c *
it gives you the name of the service and the permissions who can change them. Guess what I found on almost any machine for some services:

RW Everybody :)

Regards,

Markus

SynJunkie said...

Fantastic tip, cheers mate. I'll look into that. I love sysinternals tools.

Anonymous said...

Every solution given above is not working with XP SP3 anymore:
- a non-admin user cannot rename or overwrite executables of services that reside mostly in system32 or program files
- Mneis' cmdline kung-fu actually works when leaving out "f:\enum\"
- accesschk's enumeration shows one Everybody entry which is only R :(

Any other backdoor to try on a fully patched XP machine? :)

mneis said...

of course f:\enum does not work when you dont have a local drive f:

These are no backdoors, do some research on privilege escalation.

Cheers,

Markus