In the previous article, we knew the first thing about some local exploitation techniques and try to find some hidden features of the softwares on your computer. Hope you guys have fun with it.
Today, we are focus on finding invalid Privileges, Permissions, and ACLs in Windows operating systems especially the silver bullet – Antivirus. I took my anvirus – Avira as a victim here.
What is An access control list (ACL) ?
In Windows operating systems in particular, system objects with incorrect or inappropriately secured ACLs are common.
I think we An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL
A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object’s DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.
A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
How to check if we could do a local exploit base on it ?
Firstly, if a privileged application is running as SYSTEM, uses some objects with insecure privileges (ACLs) that allow a normal non-privileged user to modify or interact with them in a way that allows the escalation of privileges.
For example, sometimes a process or application thread is executed as SYSTEM, and with the highest possible integrity level (also SYSTEM), but has no owner. So funny, right? Well, you may be surprised by the number of products that used to have such bugs.
Checking weak DACL issues is not too hard with us. It could be done manually without the help of any tool.
To check whether a software is vulnerable to this issue, you just need to right click on the folder ( the directory – files ) and go to the “security” tag. If “Everyone” group has a “full control” permission, then probably we have a brand new local vulnerability.
Firstly, checking the ACL of the software’s services is quite different from the installation directory, it could be check by using a tool from Microsoft: sc.exe
If the error doesn’t appear, after run this command, hacker could change the binary path of a Windows Service, and run a malware under his control
Secondly, we could check process named avguard.exe of Avira Antivirus, which its user and permission.
We could see it run under user: NT AUTHORITY\SYSTEM and it just have 2 groups permission: SYSTEM and Administrator.
If the object has no owner, the object’s owner should assign permissions as soon as possible. If not, anyone who can access this object can take ownership of it, then run it with the highest permission, and we have a potential security risk here.
Loading a malicious DLL to these processes
Another story that is when you find a process run with NT AUTHORITY\SYSTEM , you could try to load “an innocent DLL” to these processes. If it is possible, you know what I mean ? 😀
In this post, we know about the way to do a local exploitation using invalid Privileges, Permissions, and ACLs. You guys should check around your processes in your computer to see what could we do. If you find a funny case, just tell me. I always here for help.
Thank for reading, you guys.