Vulnerable Systems:
* Microsoft Windows Vista, Windows Server 2008, Windows 7, Windows 8 RP
The vulnerability exists due to the IKE and AuthIP IPsec Keying Modules system service, which tries to load the wlbsctrl.dll DLL that is missing after default Windows installation.
The IKE and AuthIP IPsec Keying Modules service starts automatically in default configuration (after default installation) of:
- Microsoft Windows Vista
- Microsoft Windows 2008
- Microsoft Windows 7
- Microsoft Windows 8 Release Preview
Moreover the service runs with SYSTEM privileges by default. Therefore an unprivileged local user who has write access to a default or any other search PATH locations can execute arbitrary code on the vulnerable system with the privileges of the SYSTEM account.
Vulnerability Details:
The IKE and AuthIP IPsec Keying Modules service tries to loads the wlbsctrl.dll library which is missing. This forces Microsoft Windows to use search PATH procedure to locate the missing dynamic-link file in the following order described by Microsoft - http://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx
- The directory from which the application loaded
- The system directory
- The 16-bit system directory
- The Windows directory
- The current directory
- The directories that are listed in the PATH environment variable
When directory is created in the C:\ root folder, access permissions for files and subfolders are inherited from the parent directory. By default members of the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA privileges to all directories created within the C:\ root folder. This also applies to folders created by application's installer. The vulnerability is introduced to the system when software does not change default permissions to installation directory and adds its installation path to the PATH system environment variable. Any member of the Authenticated users group can place malicious file named wlbsctrl.dll into that folder and execute arbitrary code on the system after simple reboot.
A brief research confirmed that the following well-known software makes the weakness exploitable when installed into
the C:\ root folder:
- ActivePerl 5.16.1.1601 (default installation)
Adds to the PATH variable: C:\Perl\Site\bin;
- ActiveTcl 8.5.12 (default installation)
Adds to the PATH variable: C:\TD\bin
- ActivePython 3.2.2.3 (option to modify the PATH variable is inactive, but can be manually activated)
Adds to the PATH variable: C:\Python27\;C:\Python27\Scripts;
- Ruby installer 1.9.3-p194 (option to modify the PATH variable is inactive, but can be manually activated)
Adds to the PATH variable: C:\Ruby193\bin;
- PHP 5.3.17 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly
configured to be installed into C root folder, e.g. C:\PHP)
Adds to the PATH variable: C:\PHP\;
- Zend Server 5.6.0 SP4 (must be explicitly configured to be installed into C root folder, e.g. C:\Zend)
Adds to the PATH variable: C:\Zend\ZendServer\share\ZendFramework\bin
- MySQL 5.5.28 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\MySQL)
Adds to the PATH variable: C:\MySQL\MySQL Server 5.5\bin
Attack vectors:
Any member of the Authenticated Users group can escalate his privileges to SYSTEM when the following conditions are met:
1. The above-mentioned software sets insecure privileges for installation folder (that is writable by members of the Authenticated Users group).
2. The above-mentioned software adds its installation path to the system PATH environment variable.
How to exploit:
1. Log in under an unprivileged system account.
2. Download and extract the HTB23108-P0c-Windows-Services.rar archive.
3. Copy the files from the archive into the C:\Perl\site\bin folder.
4. Reboot the system.
5. Log in under unprivileged system account.
6. Run the C:\Perl\site\bin\ADMC.exe file.
7. Enter the following credentials when asked:
Login: fox
Password: 1234
8. Type shell and then whoami command in the system console and you will see: nt authority\system you have administrative console.
Disclosure Timeline:
Vendor Notification: August 7, 2012
Public Disclosure: October 9, 2012
