Feedback from a weak file permissions fail

A few weeks ago, I managed to connect to a patched Windows 7 and with a limited user account (let's call him « limited_user »). Of course, the goal was to obtain an admin/system shell.

Fail !

After doing all the normal checks, something caught my attention…

File permission fail

File permission fail

Wait... what ?

Wait... what ?

.... Can all the users edit the Trend Micro OfficeScan directory ? Meh, that looks cool. We need to investigate !

Investigation !

Which version is it ?

OfficeScan - Version

OfficeScan - Version

Which services are running by Trend ?

services_trend

Trend/Office Scan Services

Which processes are actually running ?

Process List

Process List

Okay, so the PccNTMon.exe is the Office ScanGUI that is running with my "limited_user"'s rights, but the other processes are running on SYSTEM. At this point in time, i guessed that it could be cool to create a malicious payload and to place it, in the place of a legit Trend process, no ? But the main problem we are facing is that Office Scan is launched at startup, and we obviously can't modify/replace a running system process.

wow-that-escalated-quicklyIf we look closer to the list of Trend's processes, we can see something that's quite interesting : a process called « CNTAoSMgr.exe » has got « TMlisten » as a parent proces and it starts about 30 sec AFTER TMListen. 30 sec ? Could it be enough to open a session before the process «CNTAoSMgr.exe » starts and … put our payload here ?

Payload time!

First, we need to create a payload that will add a user to the system and also add him to the « Administrateurs » group. However, the payload will be somewhere on the computer, and the anti-virus can catch it. We'll use the Veil Framework to obfuscate it. (please remember : never send theses payloads to an online scanner !)

Payload created from Veil Framework

Payload created from Veil Framework

Then, i use an up-to-date LOCAL AV to test the file ...

Payload isn't detected :)

Payload isn't detected 🙂

Looks fine:)

Scheduled that !

Second, we'll create a scheduled task to replace C:Program Files (x86)Trend MicroOfficeScan ClientCNTAoSMgr.exe with our payload. We're a limited user, so we can't schedule it when the computer's start. However, we can create a task that'll run at the session startup

# Command to schedule (copy payload from desktop to Office Scan Dir)

xcopy "C:Userslimited_userDesktopCNTAoSMgr.exe" "C:Program Files (x86)Trend MicroOfficeScan Client" /Y
Scheduled task

Scheduled task

 

If we try to run the tasks, it will fail because the process CNRAoSMgr.exe is running. There's no « admin_user » at this moment.

thank-you-captain-obvious

Pwn time !

Time to reboot, and see what happen !

Before rebooting, the legit CNTAoSMgr.exe looks like that :

before_reboot

After rebooting …

after_payload

After few seconds …

The user is created !

The user is created !

admin_user info

admin_user info

Pwnd =)

Notes !

I tried to do this against an OfficeScan 11, but it failed because the agent checks the digital signature before executing the « .exe ». If someone has a trick to bypass this check, please contact me =)

Enregistrer

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Captcha *