|
#####################################################################################=0A=0AApplication:=A0 My Remote File Server=0A=A0 =A0 =A0 =A0 =A0 =A0 =0APlatforms:=A0 =A0 Windows XP Professional SP2=0A=0AExploitation: Privilege Escalation=0A=0ADate:=A0 =A0 =A0 =A0=A0=A02009-10-26=0A=0AAuthor:=A0 =A0 =A0=A0=A0Francis Provencher (Protek Research Lab's) =0A=0A=A0 =A0 =A0 =A0 =A0 =0A#####################################################################################=0A=0A1) Introduction=0A2) Technical details=0A3) The Code (N/A)=0A=0A=0A#####################################################################################=0A=0A================0A1) Introduction=0A================0A =A0=A0=A0 =0A=0AMy Remote Files Server Edition is special Windows software that helps to organize simultaneous access to shared files on a server computer from different =0A=0Acomputers in your local network and from the Internet. =0A=0A=0A(from smrksoft website)=0A=0A=0A2009/10/30 Vendor contacted=0A2009/10/30 Vendor response (That not a security hole but a feature....)=0A2009/10/30 Release this advisory=0A=0A#####################################################################################=0A=0A=============================0A2) Technical details =0A=============================0A=0AMy Remote File Server=0ABuild 2.4.1=0A=0AAll files under the install folder have Create access control for BUILTIN\users and can be replace with malicious files.=0A=0AThis application have two modes; =0A=0AStandalone mode; You will gain the privilege of the user that start the application=0AService mode; You will gain administrative privilege=0A=0A=0AThe application have an other hole, In the install folder we can find the private key for SSL communication and certificate is also availlable. Builtin\user can use it to decrypt communication with the server or impersonate them....=0A=0A=0A... snip ...=0A=0AC:\Program Files\Remote Files Server\mserver.exe BUILTIN\Utilisateurs:C=0A=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=A0=A0BUILTIN\Utilisateurs avec pouvoir:C=0A=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=A0=A0BUILTIN\Administrateurs:F=0A=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=A0=A0AUTORITE NT\SYSTEM:F=0A=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=A0=A0FUZZYXP\test:C=0A... snip ...=0A=0AC:\>WHOAMI.EXE=0AFUZZYXP\test=0A=0AC:\>telnet 127.0.0.1 4444=0A=0A=0AC:\>WHOAMI.EXE=0AWHOAMI.EXE=0AAUTORITE NT\SYSTEM=0A=0A=0A=0A=0A=0A#####################################################################################=0A=0A============0A3) The Code=0A============0A=0AN\A=0A=0A=0A#####################################################################################=0A(PRL-2009-16)=0A=0A=0A=0A __________________________________________________________________=0ALooking for the perfect gift? Give the gift of Flickr! =0A=0Ahttp://www.flickr.com/gift/