Hey, The Local Privilege Escalation vulnerability was found in the Kaseya Virtual System Administrator (VSA) [1] agent "AgentMon.exe". The agent is a Windows service that periodically executes various programs with “NT AUTHORITY\SYSTEM” privileges. In the Kaseya's default configuration, Windows users who belong to the “Authenticated Users” group can modify files residing in the working and temporary directories e.g.: - "HKLM\SOFTWARE\Kaseya\Agent\...\TempPath" - "C:\Temp" - "C:\kworking" The list of executables that are stored in these directories and are run by the agent includes, but is not limited to: - "C:\kworking\NetUserStateAudit.exe" - "C:\kworking\KLicense.exe" - "C:\Temp\kwami.dll" The VSA agent before running the executables performs verification if the files were modified. If it detects that was the case, then it restores them to their known-good originals. However, this process was found to suffer from a Time of Check & Time of Use (TOCTOU) issue and that it is possible to win a race condition which makes it possible to run arbitrary executables with "NT AUTHORITY\SYSTEM" privileges. The PoC exploiting this vulnerability is included below. The PoC is an Empire module (http://ift.tt/2oJReqM) and it currently supports exploitation by replacing one of the following files: - "C:\kworking\NetUserStateAudit.exe" ($exe in PoC) - "C:\Temp\kwami.dll" ($dll in PoC)
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment