Although we enjoy offensive work, we appreciate defensive work just as much. In this post we’ll discuss how we managed to escalate our privileges on a Windows host while performing a SOE assessment.
Focusing specifically on our assessment, we spotted that our client did not skip on the installation of an Anti-Virus program, in our case Trend Micro OfficeScan version 11.1. Normally these kind of programs run as a Windows service in the context of the most privileged user (SYSTEM). Looking closely at OfficeScan’s file permissions revealed that the executable file used to be loaded as the service upon system start-up was writeable by the ‘Everyone’ group.
The reason the file permissions were not secure is due to an installation feature. In short, during the installation process, administrators are asked if they want to install the Anti-Virus using a ‘normal’ or ‘high’ security setting. Administrators who chose the ‘normal’ setting unknowingly provide the option for normal users to escalate their privileges on the host.
Exploitation of this configuration is fairly simple and straight forward. For all intents and purposes the following 3 steps were followed:
- Reboot the Windows system into Safe Mode so that the OfficeScan processes are not running.
- Overwrite the ntrtscan.exe (Real Time Scan Service) executable with a malicious executable of your choosing. In our instance, we used a windows service template file and added a few commands which will attempt to create a new local user account and added it to the Local Administrators group.
- Reboot the Windows system. During start-up, the Real Time Scan Service executable is started, executing the malicious payload.
- 16/04/2015: Vulnerabilities were reported to Trend Micro
- 16/04/2015: Trend Micro confirmed reception of advisory
- 30/04/2015: Trend Micro did not confirm vulnerability
- 05/05/2015: Asterisk asked for disclosure permission
- 05/05/2015: Trend Micro confirmed reviewing the advisory
- 14/05/2015: Trend Micro confirmed vulnerability and requested to hold disclosure until July, 10
- 14/05/2015: Asterisk confirmed disclosure date
- 04/06/2015: Trend Micro requested a change of disclosure date to August, 4
- 10/06/2015: Asterisk confirmed updated disclosure date
- 03/08/2015: Asterisk reminded Trend Micro of the disclosure date
- 04/08/2015: Trend Micro requested a change of disclosure date to August, 7
- 04/08/2015: Asterisk confirmed the updated disclosure date
- 07/08/2015: Disclosed by both parties