2. Who am I
â˘Pen tester from Singapore
â˘Started learning about security since 15 and still learning
â˘Want to learn: Reverse Engineering, Kernel Debugging & Exploit
2
3. What I am not talking about
â˘How to use Kernel exploit
3
4. What I am talking
â˘How to find typical misconfigurations made by Sysadmins
and Developers
â˘How to capitalize on the misconfigurations to gain super user
privileges
4
5. Why am I talking about this?
â˘Running limited shell is not fun
â˘Running kernel exploit is a high risk activity
â˘Kernel exploits are rare
â˘Kernel vulnerabilities usually get patched very quickly
5
7. SUID/SGID
â˘Set User ID Bit / Set Group ID Bit
â˘Enable users to execute file with file owner/groupâs
permission
â˘Improve security by not assigning permissions for sensitive
files to every user
-rwsr-xr-x 1 root root 48920 Nov 13 00:58 /usr/bin/passwd
7
12. sudo
â˘Enable users to run command with privilege of
another user
â˘Commonly found in scripts to run privileged
commands without password authentication
12
17. Weak Folder/File Permission
â˘Reveal sensitive information in history or configuration files
â˘Enable modification of important files or scripts executed by
Init or Cron job
17
18. Weak Folder/File Permission
â˘Look out for
⢠Home Directory (.rhosts, .ssh/authorized_keys, .bashrc, .*_history)
⢠Config files (httpd.conf, my.cnf, config.inc.php, sshd.config)
⢠Source codes (.php, .c, .cpp, .pl, .py)
⢠Init (/etc/rc.*) and Cron job (/etc/cron.*/, /var/spool/cron/)
⢠Scripts executed by Init or Cron job
18
25. Symbolic Link Attack
â˘Symbolic link a.k.a soft link points to another file by filename
â˘Able to link any files regardless of the existence of target file
â˘Race Condition
â˘User with write access
25
33. Weak Folder/File Permission
The vulnerability is due to incorrect installation and permissions settings on
binary files during the MSE physical or virtual appliance install procedure. An
attacker could exploit this vulnerability by logging into the device and
escalating their privileges. A successful exploit could allow the attacker to
acquire root-level privileges and take full control of the device.
Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-privmse
33
34. Weak Folder/File Permission
Get list of Services not in System32
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find
/i /v "system32"') do @echo %a >> services.txt
Get Permissions
for /f eol^=^"^ delims^=^" %a in (services.txt) do cmd.exe /c icacls "%a" >>
permissions.txt
Source: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/
34
35. Weak Service Permission
â˘Well known vulnerability for Windows XP SP1 and Windows
2003 Server
â˘MS06-011 - Upnphost, SCardSvr, SSDPSRV, DnsCache, and
DHCP services
Source: http://www.fuzzysecurity.com/tutorials/16.html 35
37. Weak Service Permission
Get permissions on Services
accesschk.exe âuwcqv âAuthenticated Usersâ *
accesschk.exe âuwcqv âUsersâ|âEveryoneâ|âAny Other Groupâ *
Source: http://www.fuzzysecurity.com/tutorials/16.html 37
38. Weak Registry Permission
â˘Services registered on the System are stored in the Registry
⢠HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
â˘Weak Registry Permission enables non-privilege user to
modify the Serviceâs configurations
38
39. Unquoted Service Paths
DisplayName Name PathName
hMailServer hMailServer C:ServerMail ServerhMailServerBinhMailServer.exe
RunAsService
Mobile Broadband HL
Service
Mobile Broadband HL
Service
"C:ProgramDataMobileBrServmbbservice.exe"
VMware Tools VMTools "C:Program FilesVMwareVMware Toolsvmtoolsd.exe"
39
40. Unquoted Service Paths
â˘Unquoted Service Paths with Space(s) lead to ambiguous
binary executions
â˘Windows will attempt to execute a Path ending with the first
space onwards
â˘Number of attempted execution = Number of Space + 1
40
42. Unquoted Service Paths
â˘Look out for services installed in C:*Folder*
â˘âAuthenticated Usersâ has Modify Permission for
C:*Folder* inherited from C: Permissions (except for
folders created by Windows)
42
44. Unquoted Service Paths
The hMailServer service is now registered in Windows with a quoted path, to
prevent the service from being vulnerable to "Unquoted service path".
Unquoted service paths would allow a user with access to the server where
hMailServer runs, but with less privileges than hMailServer, to gain the
privileges of hMailServer by creating a new executable and placing it in
C:ProgramFileshMailServerhMailserver.exe.
Not Right!
44
48. Unquoted Service Paths
Find all Unquoted Service Paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr
/i /v "c:windows" |findstr /i /v """
Quick Exploit
Use Metasploit - exploit/windows/local/trusted_service_path
48
49. DLL Hijacking
â˘Dynamic Link Libraries (DLL)
â˘Shared Library Concept â allows application to reuse code in
DLL
â˘Hijacking happens when an application loads an attackerâs
DLL instead of the intended DLL
49
51. DLL Hijacking
â˘Windows 32 bits DLL Search Order with SafeDllSearchMode
Enabled
1. Directory from which application is loaded
2. Windows 32bit System Directory (C:WindowsSystem32)
3. Windows 16 bits System Directory (C:WindowsSystem)
4. Windows Directory (C:Windows)
5. Current Directory
6. Directories listed in %PATH%
51
52. DLL Hijacking
â˘CVE-2016-2855: Huawei Mobile Broadband HL Service Local
Privilege Escalation
â˘The Huawei Mobile Broadband HL Service 22.001.25.00.03
and earlier uses a weak ACL for the MobileBrServ program
data directory, which allows local users to gain SYSTEM
privileges by modifying VERSION.dll.
52
60. Hot Potato
â˘Researched and Developed by Stephen Breen @ FoxGlove
Security
â˘Combined 3 vulnerabilities to perform Privilege Escalation
â˘NetBIOS Name Services (NBNS) Spoofing
â˘Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle
Attack
â˘HTTP-> SMB Relay
60
61. NBNS Spoofing
â˘Windows resolves domain name by the order
⢠Local Host File @ C:WindowsSystem32driversetchosts
⢠DNS Cache
⢠DNS Server
⢠Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam
⢠NetBIOS broadcast
â˘Anyone can respond to the NetBIOS Broadcast âş
61
62. WPAD Man in the Middle
⢠WPAD is enabled by default
⢠IE will automatically look up http://WPAD/wpad.dat for
proxy settings
62
64. SMB -> SMB Relay
â˘15 years old SMB Relay/Reflection Attack
Attacker MITMed the
connection to
legitimate SMB Server
Legitimate Client
(3) Client sends the Attacker the NTLM
Challenge
(2) Attacker connects to Client SMB
service and asks for a NTLM Challenge
(1) Client connects to SMB Server and
asks for a NTLM Challenge
(4) Attacker modifies Clientâs Challenge and
sends it back to Client as his own for (1)
(5) Client receives (1) Challenge, encrypts it using
his credential (hash) and sends it back to Attacker
(6) Attacker sends back the response he
receives and successfully authenticated for (2)
64
65. SMB -> SMB Relay
â˘MS08-068 stops this by preventing relaying back the
Challenges Keys from where they were issued â SMB to SMB
Relay
â˘Doesnât stop cross protocol attack HTTP -> SMB Relay âş
65
66. HTTP-> SMB Relay
â˘NTLM is part of Integrated Windows Authentication
â˘IE supports Integrated Windows Authentication (NTLM
Authentication)
â˘Automatic Logon is enabled by default for Intranet Zone
â˘Localhost is part of Intranet Zone âş
66
67. Hot Potato (Windows 7) Steps
1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80
2. Start Windows Defender Update (NT Authority/System)
3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES
4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB
to obtain Challenge then forward it to Windows Defender Update
5. Windows Defender Update sends NTLM Response
6. Hot Potato resumes the SMB Authentication with the NTLM Response âş
67