Strawberry Perl 5.Release Notes.Released Nov 2 2012.Check out what is new, what known issues there are, and frequently asked questions about this.Elevating privileges by exploiting weak folder permissions.Securing machines is always an on going process whether it is by locking down settings, blocking applications, disabling Windows Services, making sure user privileges are kept to a minimum and so on.If we dont then users will end up installing non standard software, making changes to the system, malware doing more damage once getting compromised, etc.This post is about weaknesses in folder permissions leading to elevation of privilege by using DLL hijacking vulnerabilities in Windows Services.What is DLL hijacking A few years ago there was quite a bit of hype being able to load malicious DLLs remotely or locally from the current working directory.Currently the latest perl5.Upgraded gcc toolchain external libraries perl modules installed on top of perl core.Cosmetic changes concerning Start Menu.The standalone Windows executable does not require Perl.Just download and unzip the archive then doubleclick on exiftoolk.The Microsoft article 1 explains it clearlyWhen an application dynamically loads a dynamic link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well defined set of directories in a particular order.If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory.This is sometimes called a DLL preloading attack or a binary planting attack.If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL.If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.So if an application loads a DLL just by its name it goes through the search order below 3.OS to find the library.The directory from which the application loaded.System directory C WindowsSystem.System directory C WindowsSystemWindows directory C WindowsThe current working directory CWDDirectories in the PATH environment variable system then userWhat are we exploiting The goal here is to get local admin rights on the machine.In order to achieve this we need three things to make this work.Windows DLL search order.DLL hijacking vulnerability.Weak folder permissions.Windows DLL search order.In Windows DLL search order the directories of the path environment variable are the last search it carries out starting with the system variable path and then the user variable path.Unless the application hasnt used a fully qualified path name for its DLL it will try to find the DLL through the search order even with certain mitigations in place.DLL hijacking vulnerability.A quick way to find DLL hijacking vulnerabilities is to start Process Monitor, setup the relevant filtering and carry out some actions.Here we will be exploiting Windows Services as a large number of services run on SYSTEM privileges, just by stopping and starting the services and observing the search patterns.Keep in mind that Services running under SYSTEM does not search through user path environment.After stopping and starting Services a number of vulnerabilities had been discovered.One Windows Service being the IKE and Auth.IP IPsec Keying Modules This service is not started and set to manual by default but might be started or set to Automatic by VPN clients, policies, other Services, etc.For someone trying to obtain local admin rights starting Process Monitor will not be possible with limited permissions so lets go through the steps if we didnt have rights.In this example the IKE service is used but it can be any service for software that you may not have direct access to and need to audit.First lets take note of the service executable through Windows Services say services.Now checking in the registry to see if there are any service dlls being loaded by the service.We can copy these files svchost.IKEEXT.DLL off to another machine to do our static analysis.After loading in IDA and simply searching for loadlibrary and jumping to the call will show what library is going to load.If a fully qualified path is not specified then we may be in luck.Here in IKEEXT.DLL Load.Securing machines is always an ongoing process whether it is by locking down settings, blocking applications, disabling Windows Services, making sure user privileges.Mf0uz.jpg' alt='Check Installed Perl Modules Windows 10' title='Check Installed Perl Modules Windows 10' />Library.W will try to load wlbsctrl.Note It is not always as straight forward as in this example as the dll called might be using fully qualified path name but linked at compile time with another dll which will try to load this at load time which might be vulnerable due to being in another folder or not available.Lastly we search for the library wlbsctrl.C dir wlbsctrl.In this case wlbsctrl.Weak folder permissions.Now for the most important part Weak folder permissions.When new folders are created in the root it is writeable for all authenticated users by default.The NT AUTHORITYAuthenticated Users IM gets added to the folder where M stands for modify access.So any application that gets installed on the root can be tampered with by a non admin user.If binaries load with SYSTEM privileges from this folder it might just be a matter of replacing the binary with your own one.It gets interesting when applications gets installed in the root and add its path to the system path environment.This now opens the attack surface for a large number of applications that may have DLL hijacking vulnerabilities.One scenario is software getting pushed onto machines, with the likes of Marimba, Landesk, etc.Windows service running with system privileges to install the software.Since it runs with system privileges software pushed onto machines such as Perl, Python or Ruby it will add to the system path environment if adding the path had been set in the package along with being installed on the root as default.Or it could be an IT support personnel installs the software with their admin rights for the user.If a user installs manually if possible with non admin rights then it may be added to user path environment and then exploitation would not be possible.We can use icacls.Pwning the box. Baixar Todas As Musicas Da Banda Rbd Musicas . From our previous sections what we know now are.Service IKE and Auth.IP IPsec Keying Modules loads service dll IKEEXT.DLLIKEEXT.DLL will try to load wlbsctrl.OS with carry its search order to find wlbsctrl.We have a writeable folder C Ruby.All we need to do now is drop our malicious crafted DLL wlbsctrl.C Ruby.SYSTEM privileges.Users requesting Ruby, Perl, etc.Testing folder paths.I wrote a simple Power.Shell script you can download from here that can be used to quickly check vulnerable path folders.System path environment variable comes first and then user path environment variable.Running it in a medium integrity shell for an admin or non admin user will give the same results.Vulnerable Windows Services.Here are Windows Services that have been found to be vulnerable and could be exploited on Windows 7 3.IKE and Auth.IP IPsec Keying Modules IKEEXT wlbsctrl.Windows Media Center Receiver Service eh.Recvr eh.ETW.Windows Media Center Scheduler Service eh.Sched eh.ETW.The Windows Media Center Services startup type is set to manual and status not started and will only give us only Network service privileges so I cannot see it to being much use especially with its limited privileges.It can however be started temporarily via certain scheduled tasks.I TN MicrosoftWindowsMedia Centermcupdateschtasks.I TN MicrosoftWindowsMedia CenterMedia.Center.Recovery.Taskschtasks.I TN MicrosoftWindowsMedia CenterActivate.Windows.SearchA quick check on Windows XP has shown that these Services are vulnerable.Automatic Updates wuauserv ifsproxy.Remote Desktop Help Session Manager RDSess.Mgr Salem.Hook.Remote Access Connection Manager Ras.Man ipbootp.Windows Management Instrumentation winmgmt wbemcore.Other Services that might be installed are also vulnerable.Battle For The Leaf Village Hacked Free here.Audio Service STac.SV SFFXComm.SFCOM.DLL IntelR Rapid Storage Technology IAStor.Data.Mgr. Svc Driver.Sim.Juniper Unified Network ServiceJuniper.Access.Service ds.Log.Service. dll.Encase Enterprise Agent SDDisk.No dll hijacking vulnerabilities were found on a clean default installation of Windows 8 OS 6.Windows 8.Mitigation.There are a number of mitigations available to prevent this vulnerability to be exploited by using certain APIs, changing registry settings, applying updates, etc.CWDIllegal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |