June 6th, 2005, 05:01 AM
Windows privilege escalation using Program.exe.
Let me first start out by saying that I love Windows. It must be the easiest operating system to learn and use. Unfortunately, it is also one of the easiest in which to find holes. One of my favorite past times is finding privilege escalation vulnerabilities in windows and windows applications. They exist everywhere. So I want to talk about a privilege escalation that exists in many of the Windows operating systems simply because of a misunderstanding of how Windows works.
First, some background information on how Windows launches applications:
1. Start, Run, C:\Winnt\system32\cmd.exe
This is pretty simple and straight forward...Windows will locate the file cmd.exe and launch it.
2. Start, Run, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"
This is almost identical to the first. Windows will locate the file btwdins.exe (the default Bluetooth service executable that appears on most HP/Compaq SOHO machines) and launch it. However, note the use of the quotes in the path because of the spaces. In the old 8.3 notation this could be written as follows and the use of quotes would not be necessary.
3. Start, Run, C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
This may look the same as the previous example but the quotes are missing. This can be bad and I will discuss why further down but here is how Windows interprets this statement because of the spaces.
- Windows will try to locate and launch the file C:\Program.exe
- If that file does not exist Windows will try to locate and launch the file C:\Program Files\WIDCOMM\Bluetooth.exe
- If that file does not exist Windows will finally try to locate and launch the original intended file C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
You might be thinking one of two things right now...wow or so what. Well let's say you are logged into a machine as a user with only local guest privileges. You can't do much but you want to try to interact with other process that are running with higher privileges so that you can manipulate them to elavate your privileges. So what runs with higher privileges...services. Most services in Windows run as LocalSystem which has basically god rights for the local machine.
Thinking back to the examples, what if I told you that Bluetooth was a service set to startup automatically with Windows and run under the context of LocalSystem. The path to the executable is C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe without the quotes. When Windows starts it will try to start the Bluetooth service automatically as LocalSystem but since there are no quotes around the path to the btwdins.exe file it will try to launch the following as LocalSystem first:
- C:\Program Files\WIDCOMM\Bluetooth.exe
So you could hack up your own Program.exe service or Bluetooth.exe service and place it in the location where Windows will accidentally run it. The service you create could simply create a new account and add it to the local Administrators group.
However, you can't do much as with your current guest privileges. The default permissions for the Program Files folder in Windows 2000 and above prevent a guest account from even entering the folder. So how are you supposed to plant your custom C:\Program Files\WIDCOMM\Bluetooth.exe file? You can't. But what about using the root of C:\ for a custom Program.exe file? You can...in Windows 2000 and below. In Windows XP and above the default permissions of Everyone - Full Control where removed (which was a smart move by Microsoft).
So plant your custom C:\Program.exe file that will create a new account and add it to the local Administrators group and restart the computer. Log in as the new admin account.
Want the tools discussed in this article?
This is a simple PERL (http://www.activeperl.com/) script that you can run to enumerate the executable paths of all services. Just run it and look through the output for paths that have spaces and do not have quotes.
This is the custom Program.exe service file that can be used to add a new user and add that user to the local Administrators group. Just copy the Program.exe file and the runme.txt file to the root of C:\. Add as many commands as you would like Program.exe to run to the runme.txt file.
June 6th, 2005, 06:55 AM
You've posted two tutorials now within your first few posts here and that is great and all... however there is no need to post tutorials on compromising systems that are assumed to be poorly secured. This is merely a step away from posting a tutorial on how to compromise a Windows 2000 system that automatically logs you in as Administrator... why worry about it?
The way windows handles non-8.3 paths is predictable and consitant and consequently not considered a vulnerability.
June 6th, 2005, 06:59 AM
Thank you for the feedback. I found it interesting when I was writing the tutorial so I though others may enjoy the read. Your point is well taken though. Without insecure systems there is not a need to exploit them.
June 6th, 2005, 07:49 AM
I'm with catch on this one, and the others on your other tutorial..
I'm not sure what you think AO is about... or what AO is... but these tutorials both read, to me anyways, as skiddie papers...
This is a computer security website -- 'Maximum Security for a Connected World'... The old slogan which was 'Hackers know the weaknesses in your system, shouldn't you?' would fit a little better, but even then, your posts are a little on the juvenile side... They aren't what the majority of us are here for...
I'll come straight out and admit that I'm the one who negged you, however I bumped it down to 25% (and I seldom let it leave 100%) and I explained to you in the neg why I did it... I don't think these are up to par with the rest of this site.
You should be capable of more than this.... I've looked at your resume... assuming it's real, then you should be capable of a lot more... There are some little tools on your site that look cool.. I'm assuming you've written them all... and I've also seen your list of published advisories... Some of them are similar to things I've seen high school students do to bypass basic restrictions.. but some of them look somewhat impressive. Anyways... all in all you should be working to a much higher par than this...
Your experience level blows mine away... there's no comparison.... but I felt that reading this tutorials was a complete waste of my time... With a resume that much superior to my lowly still in college resume I should enjoying reading the tutorials that you post..
Anyways... there's my constructive criticism for the night.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
June 6th, 2005, 07:54 AM
reedarvin, I still think this is a good post, as was the other.
I am merely stating that it should not be in the security tutorials secution, but the Windows Security section.
PS. I disgree with these being "skiddie" focused, they are interesting topics that not many people are versed on and there is no question that they add value to this community. (for whatever that is worth)
June 6th, 2005, 03:29 PM
reedarvin, ive liked it.
But as an admin, i would like to see some kind of "prevention" of this "exploit". Since here is (usually) a admin forum, you can show a "vulnerability" and a "exploit", but also we use to like to see the "cure" too.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
June 6th, 2005, 05:13 PM
All my staff know that step one, (after the OS installation), in Win2k is to remove all rights from the root for everything other than the Local Admin and System and force it down through the tree.... Seriously, step one......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 6th, 2005, 05:20 PM
Someone in the group is always going to ask "Why 'remove all rights from the root for everything other than the Local Admin and System and force it down through the tree' ", and this tutorial shows a perfect example of why. People tend to follow directions better when they understand the ramifications of not following them. Otherwise in cases they feel that those who made the instructions were just being overly precautious and picky.
July 17th, 2005, 03:33 PM
Its impressive how we can find many ppl who loves to be noticed telling moral lessons in this forum. I administrate win servers since that nt4 ****, and I ALWAYS tried to discover the vulnerabilities to try by myself in my servers. Be an administrator who only keep the system updated and install that stupid firewall softwares and keep the antivirus up to date is easy (and easy to be hacked too).
I always support anyone here who post ANYTHING about security. Lets just stop this hypocrisy here. If anyone posting xpl ways don't post the solution, go find it yourself. I'm very thankfull for learning another win vulnerability.
Good post reedarvin
July 17th, 2005, 04:29 PM
Your right. I saw a perfect example on my school network. They didn't remove al the rights you could acces ms-dos without having to put in a password or something else. Even quick key's weren't removend you could open run with logo + R. It showed that not al admins know how to protect their network as it should. Your tutorial shows a basic flaw that most admins don't think off. If you don't have a problem with it i would like to show this example to the admin of my school network. I just hope that admins read this and act accordingly. (sorry for my english if its not correct.)
Originally posted here by zENGER
Someone in the group is always going to ask "Why 'remove all rights from the root for everything other than the Local Admin and System and force it down through the tree' ", and this tutorial shows a perfect example of why.