Here's one for you, Sigma

Here's one for you, Sigma

Postby Cyborg Girl » Mon Sep 14, 2015 12:58 am

Presentation from Symantec about some recent memory resident malware for Windows:

http://www.symantec.com/content/en/us/e ... weliks.pdf

Note the means of privilege escalation.

In December 2014, we noticed that Poweliks was using a Windows zero-day exploit for privilege escalation,
which we reported to Microsoft. The company designated this vulnerability MS15-004 and released a patch for
it in January. The vulnerability allows an attacker to execute an arbitrary file with elevated privileges on the
compromised computer.
The vulnerability is in the TS WebProxy component and the specific vulnerable function is CTSWebProxy::Start
RemoteDesktop. Normally, this function executes the terminal services executable (mstsc.exe) and the path to
mstsc.exe is supplied by the user. Before executing the filepath provided, Windows checks that the supplied path
legitimately leads to mstsc.exe. The path must end with mstsc.exe and it must start in the system folder, as seen
in the following example:
• %Windir%\System32\mstsc.exe
This can be changed when the zero-day exploit is used. By using directory traversal characters, the check can be
bypassed so it leads to a path that no longer points to mstsc.exe, as seen in the following example:
• %Windir%\System32\..\..\temp\bad.exe\mstsc.exe\..
Continuing with the example, this path will pass the check, but will actually execute the following file instead:
• %Temp%\bad.exe
There were actually two different vulnerabilities that had the same effect. In the 32-bit version of twsbprxy.exe,
there were no checks on the path and in the 64-bit version of the file, there were checks but Windows allowed an
incorrect path to be provided.


Kind of like the old

Code: Select all
GET /../../../../../../../../../etc/passwd


trick. Groovy. :x
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Here's one for you, Sigma

Postby Sigma_Orionis » Mon Sep 14, 2015 5:57 pm

Yeah really, the fact that that damned thing hides itself in that mess called the Registry is unnerving.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez


Return to Sci-Tech… and Stuff

Who is online

Users browsing this forum: No registered users and 17 guests