[FD] Vulnerability Repot# MAMP PRO 4.2.0 Local Privilege Escalation

[Nicholas]

Hi!

I have discovered a local privilege escalation vulnerability on MAMP PRO
4.2.0 and would like to post it. Please kindly check the attached file.

Best regards,
Nicholas
# Exploit Title: MAMP PRO 4.2.0 Local Privilege Escalation
# Date: 2020-07-08
# Exploit Author: b1nary
# Vendor Homepage: https://www.mamp.info/
# Software Link: 
https://downloads.mamp.info/MAMP-PRO-WINDOWS/releases/4.2.0/MAMP_MAMP_PRO_4.2.0.exe
# Version: 4.2.0
# Tested on: Windows 10 Pro x64 Version 10.0.19041 

MAMPPRO Windows installer installs seven services called 'MAMPPRO’, 
'MAMPPRO-Apache', ‘MAMPPRO-MySQL’, ’MAMPDNS’, ‘MAMPPRO-Memcached', 
‘emailrelay-service.exe’, and 'MAMPPRO-NGINX'. All those services runs with 
'SYSTEM' privileges and they have weak file permission. Which means that a 
low-privileged user can modify those services and execute code with ‘SYSTEM’ 
privileges on the system. 

NT AUTHORITY\Authenticated Users:(I)(M) means that every authenticated user has 
modify access, (M) stands for Modify, on the files, so they can read, write and 
delete the files. 

=

(1). = MAMPPRO =
C:\Users\user>sc qc MAMPPRO
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MAMPPRO
TYPE   : 10  WIN32_OWN_PROCESS
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : "C:\MAMPPRO\MAMPPROService.exe"
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : MAMPRO Service
DEPENDENCIES   :
SERVICE_START_NAME : LocalSystem

C:\MAMPPRO>icacls c:\MAMPPRO\MAMPPROService.exe
C:\MAMPPRO\MAMPPROService.exe BUILTIN\Administrators:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  BUILTIN\Users:(I)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files


(2). = MAMPPRO-Apache =
C:\Users\user>sc qc MAMPPRO-Apache
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MAMPPRO-Apache
TYPE   : 10  WIN32_OWN_PROCESS
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : "C:\MAMP\bin\apache\bin\httpd.exe" -k runservice
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : MAMPPRO-Apache
DEPENDENCIES   : Tcpip
   : Afd
SERVICE_START_NAME : LocalSystem

C:\Users\user>icacls "c:\MAMP\bin\apache\bin\httpd.exe"
c:\MAMP\bin\apache\bin\httpd.exe BUILTIN\Administrators:(I)(F)
 NT AUTHORITY\SYSTEM:(I)(F)
 BUILTIN\Users:(I)(RX)
 NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files

(3). = MAMPPRO-MySQL =
C:\Users\user>sc qc MAMPPRO-MySQL
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MAMPPRO-MySQL
TYPE   : 10  WIN32_OWN_PROCESS
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : C:\MAMP\bin\mysql\bin\mysqld.exe 
--defaults-file=C:\Users\Public\Documents\Appsolute\MAMPPRO\conf\my.ini 
MAMPPRO-MySQL
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : MAMPPRO-MySQL
DEPENDENCIES   :
SERVICE_START_NAME : LocalSystem


C:\Users\user>icacls "C:\MAMP\bin\mysql\bin\mysqld.exe"
C:\MAMP\bin\mysql\bin\mysqld.exe BUILTIN\Administrators:(I)(F)
 NT AUTHORITY\SYSTEM:(I)(F)
 BUILTIN\Users:(I)(RX)
 NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files

(4). = MAMPDNS =
C:\Users\user>sc qc MAMPDNS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MAMPDNS
TYPE   : 10  WIN32_OWN_PROCESS
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : "C:\MAMPPRO\MAMPDNSService.exe"
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : MAMPRO DNS Service
DEPENDENCIES   :
SERVICE_START_NAME : LocalSystem

C:\Users\user>icacls "C:\MAMPPRO\MAMPDNSService.exe"
C:\MAMPPRO\MAMPDNSService.exe BUILTIN\Administrators:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  BUILTIN\Users:(I)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files

(5). = MAMPPRO-Memcached =
C:\Users\user>sc qc MAMPPRO-Memcached
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MAMPPRO-Memcached
TYPE   : 10  WIN32_OWN_PROCESS
START_TYPE : 3   DEMAND_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : 

[FD] Defense in depth -- the Microsoft way (part 70): CVE-2014-0315 alias MS14-019 revisited

[Stefan Kanthak]

Hi @ll,

This multi-part post can be read even without a MIME-compliant program!

Back in 2014, I reported a vulnerability in CreateProcess()'s handling of
*.cmd and *.bat files that Microsoft fixed with MS14-019 alias MSKB 299
and assigned CVE-2014-0315: command lines with a batch script as first token
led to the execution of a (rogue) cmd.exe from the CWD (or the search path).


provides some details about the vulnerabilities attack vector.

With that in mind, read the documentation of the command processors START
builtin command  or


| * When you run a command that contains the string "CMD" as the first token
|   without an extension or path qualifier, "CMD" is replaced with the value
|   of the COMSPEC variable. This prevents users from picking up cmd from
|   the current directory.

This statement is but WRONG: START CMD ... picks a rogue cmd.exe from the CWD!

Demonstration/Proof of concept #1
~

On a default installation of Windows XP or any newer version, start the command
processor CMD.EXE and run the following commands:

CHDIR /D "%TMP%"
COPY "%SystemRoot%\Write.exe" Cmd.exe
SET COMSPEC=
SET PATH=
START CMD /C PAUSE


This weakness is well-known and well-documented: see
,
 and


For some of the well-known attacks see
 and



Now continue with the documentation of the command processors FOR builtin
command  or


| * Parsing output:
|   You can use the for /f command to parse the output of a command by placing
|   a back-quoted  between the parentheses.

Back-quoted is only correct with FOR /F "UseBackQ" % IN (´´) DO 
...
Without "UseBackQ" the command needs to be placed in single quotes!


| It is treated as a command line, which is passed to a child Cmd.exe.

That too is wrong: if COMSPEC is set, its value is used as file/pathname of the
child process; Cmd.exe is used only if COMSPEC is not set!

Demonstration/Proof of concept #2
~

On a default installation of Windows XP or any newer version, start the command
processor CMD.EXE and run the following commands:

SET COMSPEC=%SystemRoot%\System32\Reg.exe
FOR /F %? IN ('SET') DO @ECHO %?

Evaluating COMSPEC inside the command processor or executing the hard-coded
file Cmd.exe is both clumsy and unsafe!
The command processor can and should determine its own module name instead.


For a third bug and vulnerability see the following undocumented and outright
BRAINDEAD behaviour.

Demonstration/Proof of concept #3
~

On a default installation of Windows XP or any newer version, start the command
processor CMD.EXE and run the following commands:

SET COMSPEC=%SystemRoot%\System32\Reg.exe
ASSOC | CALL
ECHO | FTYPE
SET | More.com
...


Why does the command processor execute the EXTERNAL command specified in the
environment variable COMSPEC to run its builtin INTERNAL commands?


stay tuned, and far away from such blunders
Stefan Kanthak

PS: for more quirks see 


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Three vulnerabilities found in MikroTik's RouterOS

[Q C]

Advisory: three vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. Memory corruption vulnerability
The diskd process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the diskd
process due to invalid memory access.

Against stable 6.44.3, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: /nova/bin/diskd
2020.06.04-14:18:22.55@0: --- signal=11

2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202
2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 ebp=0x7fd40b78
esp=0x7fd40b6c
2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec ecx=0x776d54ec
edx=0x20fe0010
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: maps:
2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp  00:0c 1131
/nova/bin/diskd
2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp  00:0c 996
   /lib/libuClibc-0.9.33.2.so
2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp  00:0c 992
   /lib/libgcc_s.so.1
2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp  00:0c 976
   /lib/libuc++.so
2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp  00:0c 982
   /lib/libubox.so
2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp  00:0c 978
   /lib/libumsg.so
2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp  00:0c 990
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c
2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b d4
7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20
2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c d4
7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: code: 0x776cd1db
2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff
75

This vulnerability was initially found in long-term 6.44.5, and has been
fixed in stable 6.47.

2. NULL pointer dereference vulnerability
The graphing process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
graphing process due to NULL
pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: /nova/bin/graphing
2020.06.04-15:12:41.47@0: --- signal=11

2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202
2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 ebp=0x7fa8acd8
esp=0x7fa8acb0
2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c ecx=0x
edx=0x08061ce8
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: maps:
2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp  00:0c 1038
/nova/bin/graphing
2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp  00:0c 961
   /lib/libm-0.9.33.2.so
2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0
2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 00 00
00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08
2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a bc 6b
77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: code: 0x80521e2
2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff ff 8b
56

This vulnerability was initially found in long-term 6.44.6, and has been
fixed in stable 6.47.

3. Stack exhaustion vulnerability
The net process suffers from a stack exhaustion vulnerability. By sending a
crafted packet to the net process, an authenticated remote user can trigger
a stack 

[FD] SEC Consult SA-20200724-0 :: Privilege Escalation Vulnerability in SteelCentral Aternity Agent

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory < 20200724-0 >
===
  title: Privilege Escalation Vulnerability
product: SteelCentral Aternity Agent
 vulnerable version: 11.0.0.120
  fixed version:
 CVE number: CVE-2020-15592, CVE-2020-15593
 impact: Critical
   homepage: https://www.riverbed.com/gb/
  found: 2019-12-13
 by: Eneko Cruz Elejalde (Office Zurich)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Riverbed Technology, Inc. is an American information technology company. Its
products consist of software and hardware focused on network performance
monitoring, application performance management, and wide area networks (WANs),
icluding SD-WAN and WAN optimization."

Source: https://en.wikipedia.org/wiki/Riverbed_Technology


Business recommendation:

It is recommended to update the SteelCentral Aternity Agent to the latest
version available at the time of the update.

SEC Consult recommends to perform a thorough security review conducted
by security professionals to identify and resolve all security issues.


Vulnerability overview/description:
---
1) Privilege Escalation Vulnerability
The SteelCentral Aternity agent uses an executable running as a high privileged
Windows service to perform administrative tasks and collect data from other
processes. The SteelCentral Aternity Agent distributes functionality among
different processes and uses IPC (Inter-Process Communication) primitives to
enable the processes to cooperate. Because access security is not properly
implemented upon IPC channels, malicious processes can trick application
processes to perform arbitrary actions.

The SteelCentral Aternity User Experience monitoring solution is therefore
prone to a privilege escalation vulnerability that allows a low privileged
attacker to gain SYSTEM privileges upon execution of a specially crafted
executable file on a target system. This vulnerability has proven exploitable
and a reliable exploit has been developed.

By using such an exploit an attacker could execute arbitrary code with SYSTEM
privileges. An attacker could use SYSTEM privileges to add users, exfiltrate
information and create and remove arbitrary files.

The following individual vulnerabilities have been discovered and chained
together into an exploit (see proof of concept):

 - Insufficient security on InterProcess Communication channels (CVE-2020-15593)
   Any user in the system is allowed to access the interprocess communication
   channel "AternityAgentAssistantIpc", retrieve a serialized object and call 
object
   methods remotely. Among others, the methods allow any user to:
   - Create and/or overwrite arbitrary XML files across the system
   - Create arbitrary directories across the system
   - Load arbitrary plugins (i.e. CSharp assemblies) from the
 "Program Files (x86)/Aternity Information Systems/Assistant/plugins"
 directory and execute code contained in them ()

 - Directory traversal on plugin load path resolution (CVE-2020-15592)
   The remotely callable methods from remotable objects available through
   interprocess communication allow loading of arbitrary plugins (i.e. CSharp
   Assemblies) from the "Program Files (x86)/Aternity Information 
Systems/Assistant/plugins"
   directory, where the name of the plugin is passed as part of an
   XML-serialized object. However, because the name of the DLL is concatenated
   with the ".\plugins" string, a directory traversal vulnerability exists in
   the way plugins are resolved.

Combining these two vulnerabilities together, privilege escalation from a
low-privileged user to SYSTEM can be achieved.


Proof of concept:
-
Exploit not provided in this advisory.


Vulnerable / tested versions:
-
The following version has been tested:
* SteelCentral Aternity Agent 11.0.0.120


Vendor contact timeline:

2019-12-16: Contacting vendor through supp...@riverbed.com. Vendor refuses to
discuss vulnerability further without serial number and customer
name, support ticket closed.
2020-01-29: Client supplies vendor contact. Vendor contacted again and technical
details supplied.
2020-01-30: Vendor asks for more details. Further details are provided.
2020-02-06: Vendor provided a remediation procedure to remove vulnerability 
until
permanent fix is provided.
2020-02-19: Contacted vendor and asked for progress on final fix. Vendor is not