what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Nessus 5.2.1 Local Privilege Escalation

Nessus 5.2.1 Local Privilege Escalation
Posted Mar 21, 2014
Authored by Neil Jones | Site nccgroup.com

An authenticated Nessus scan of a target machine may result in local privilege escalation on that target machine if scanned with the Malicious Process Detection plugin (Plugin ID 59275). The Malicious Process Detection plugin created a service which ran as SYSTEM however this binary could be modified by a low level user allowing for privilege escalation. Nessus appliance engine version 5.2.1 the plugin set 201402092115 is affected.

tags | advisory, local
SHA-256 | 8648f4d711efe44b31bdee0acb14cb37b88fd4f1a78ae2f87ff9765acf082452

Nessus 5.2.1 Local Privilege Escalation

Change Mirror Download
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Title Nessus Authenticated Scan - Local Privilege Escalation
Release Date 20 March 2014
Reference NGS00643
Discoverer Neil Jones
Vendor Tenable
Vendor Reference RWZ-21387-181
Systems Affected Nessus appliance engine version 5.2.1 the plugin set
201402092115
Risk High
Status Fixed

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Discovered 29 January 2014
Released 29 January 2014
Reported 18 February 2014
Fixed 6 March 2014
Published 20 March 2014

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Description
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

An authenticated Nessus scan of a target machine may result in local
privilege escalation on that target machine if scanned with the Malicious
Process Detection plugin (Plugin ID 59275). The Malicious Process Detection
plugin created a service which ran as SYSTEM however this binary could be
modified by a low level user allowing for privilege escalation.

The main attack vector for this vulnerability would be within large
organisations which routinely run authenticated scans for security
auditing purposes, once a user gains SYSTEM access on one machine they
would be likely to be able to escalate their privileges to that of Domain
Administrator by other means.

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

The vulnerability was caused by the Malicious Process Detection plugin
(Plugin ID 59275), this plugin created a service which gathered privileged
information from the target system. The plugin created a binary in the
System Temp folder which had a static name for example this would be
"C:\Windows\Temp\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe"

A service was then created to run this binary, the service created was set
to automatically start upon boot. As a low level user the binary should be
created before the scan, once the scan is in progress the binary is
overwritten by the Nessus plugin, once the Nessus plugin overwrites the
binary the low level user can once again overwrite the binary the machine
can be rebooted by the low level user so the binary is automatically ran
upon system boot.

As the Nessus scan is still in progress upon the machine rebooting, the
binary and the service are deleted automatically during the clean-up
process of the plugin.

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

The plugin has been updated and the vulnerability can be patched by
updating the plugins on your scanner

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Research https://www.nccgroup.com/research
Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
Open Source https://github.com/nccgroup
Blog https://www.nccgroup.com/en/blog/cyber-security/
SlideShare http://www.slideshare.net/NCC_Group/


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close