Here's one for you, Sigma
Posted: Mon Sep 14, 2015 12:58 am
Presentation from Symantec about some recent memory resident malware for Windows:
http://www.symantec.com/content/en/us/e ... weliks.pdf
Note the means of privilege escalation.
Kind of like the old
trick. Groovy.
http://www.symantec.com/content/en/us/e ... weliks.pdf
Note the means of privilege escalation.
In December 2014, we noticed that Poweliks was using a Windows zero-day exploit for privilege escalation,
which we reported to Microsoft. The company designated this vulnerability MS15-004 and released a patch for
it in January. The vulnerability allows an attacker to execute an arbitrary file with elevated privileges on the
compromised computer.
The vulnerability is in the TS WebProxy component and the specific vulnerable function is CTSWebProxy::Start
RemoteDesktop. Normally, this function executes the terminal services executable (mstsc.exe) and the path to
mstsc.exe is supplied by the user. Before executing the filepath provided, Windows checks that the supplied path
legitimately leads to mstsc.exe. The path must end with mstsc.exe and it must start in the system folder, as seen
in the following example:
• %Windir%\System32\mstsc.exe
This can be changed when the zero-day exploit is used. By using directory traversal characters, the check can be
bypassed so it leads to a path that no longer points to mstsc.exe, as seen in the following example:
• %Windir%\System32\..\..\temp\bad.exe\mstsc.exe\..
Continuing with the example, this path will pass the check, but will actually execute the following file instead:
• %Temp%\bad.exe
There were actually two different vulnerabilities that had the same effect. In the 32-bit version of twsbprxy.exe,
there were no checks on the path and in the 64-bit version of the file, there were checks but Windows allowed an
incorrect path to be provided.
Kind of like the old
- Code: Select all
GET /../../../../../../../../../etc/passwd
trick. Groovy.