Windows privilege escalation using Program.exe.
Let me first start out by saying that I love Windows. It must be the easiest operating system to learn and use. Unfortunately, it is also one of the easiest in which to find holes. One of my favorite past times is finding privilege escalation vulnerabilities in windows and windows applications. They exist everywhere. So I want to talk about a privilege escalation that exists in many of the Windows operating systems simply because of a misunderstanding of how Windows works.
First, some background information on how Windows launches applications:
1. Start, Run, C:\Winnt\system32\cmd.exe
This is pretty simple and straight forward...Windows will locate the file cmd.exe and launch it.
2. Start, Run, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"
This is almost identical to the first. Windows will locate the file btwdins.exe (the default Bluetooth service executable that appears on most HP/Compaq SOHO machines) and launch it. However, note the use of the quotes in the path because of the spaces. In the old 8.3 notation this could be written as follows and the use of quotes would not be necessary.
3. Start, Run, C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
This may look the same as the previous example but the quotes are missing. This can be bad and I will discuss why further down but here is how Windows interprets this statement because of the spaces.
- Windows will try to locate and launch the file C:\Program.exe
- If that file does not exist Windows will try to locate and launch the file C:\Program Files\WIDCOMM\Bluetooth.exe
- If that file does not exist Windows will finally try to locate and launch the original intended file C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
You might be thinking one of two things right now...wow or so what. Well let's say you are logged into a machine as a user with only local guest privileges. You can't do much but you want to try to interact with other process that are running with higher privileges so that you can manipulate them to elavate your privileges. So what runs with higher privileges...services. Most services in Windows run as LocalSystem which has basically god rights for the local machine.
Thinking back to the examples, what if I told you that Bluetooth was a service set to startup automatically with Windows and run under the context of LocalSystem. The path to the executable is C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe without the quotes. When Windows starts it will try to start the Bluetooth service automatically as LocalSystem but since there are no quotes around the path to the btwdins.exe file it will try to launch the following as LocalSystem first:
- C:\Program Files\WIDCOMM\Bluetooth.exe
So you could hack up your own Program.exe service or Bluetooth.exe service and place it in the location where Windows will accidentally run it. The service you create could simply create a new account and add it to the local Administrators group.
However, you can't do much as with your current guest privileges. The default permissions for the Program Files folder in Windows 2000 and above prevent a guest account from even entering the folder. So how are you supposed to plant your custom C:\Program Files\WIDCOMM\Bluetooth.exe file? You can't. But what about using the root of C:\ for a custom Program.exe file? You can...in Windows 2000 and below. In Windows XP and above the default permissions of Everyone - Full Control where removed (which was a smart move by Microsoft).
So plant your custom C:\Program.exe file that will create a new account and add it to the local Administrators group and restart the computer. Log in as the new admin account.
Want the tools discussed in this article?
This is a simple PERL (http://www.activeperl.com/) script that you can run to enumerate the executable paths of all services. Just run it and look through the output for paths that have spaces and do not have quotes.
This is the custom Program.exe service file that can be used to add a new user and add that user to the local Administrators group. Just copy the Program.exe file and the runme.txt file to the root of C:\. Add as many commands as you would like Program.exe to run to the runme.txt file.