Saturday, 17 May 2014

Old Doesn't Mean Useless (Priv Escalation)

I have what you could describe as 'geeky' friends - so geeky, that one of them set me a challenge. I'm in the process of re-locating and as i'm without internet access, my friend offered me his - but only if I could beat his challenge. After making my way to his house, I was greeted at the door by a grin and a laptop. The laptop was running Windows 7 64-bit. My mission, should I choose to accept it, was to gain root access.

All I had was a standard user account called 'local' and an Administrator account called 'Simon' - but I didn't know the password for this (see screenshot below).



I checked the machine for any signs of Windows updates - and it looked as if the system was installed and no updates had been downloaded, though the Administrator had installed AVG anti-virus 2014 - which I thought would destroy any hopes of downloading code and executing it on the machine - or would it? Now i'd posed the question, I wanted to test my theory. For those of you who have a better memory than me, you'll remember CVE: 2010-3888 - which was a 0-day exploit. Apparently the Stuxnet worm was using this to elevate privileges.

I however, didn't remember it, however, after a few minutes of Google searching, I figured it would be worth a shot. My main worry, would be that AVG 2014 would detect it and my friend would laugh at my feeble attempt. So, I proceeded to download the code and take some screenshots along the way.

To my amazement, AVG 2014 didn't flag the file once it had downloaded onto the desktop. As you can see in the screenshot below, I used 'cscript <script>' to run the file and it ran through with no errors.


I then checked to see whether an administrator account had been created and it had.


More proof:


I scanned the file with AVG 2014 and it wasn't detected!


Now, this exploit is 4 years old at the time of writing - in the real world, most, if not all machines will be patched, but it brings up an important thing to note: having an anti-virus DOESN'T mean you're protected, even if the exploit is old. I personally use Vipre Anti-virus when i'm using a Windows machine and I did check, and Vipre does pick up this code. This isn't to say AVG 2014 is bad, lots of anti-virus software don't pick up this particular script (according to the results from VirusTotal, where just 17/52 AV's picked up this malicious code!).


Until next time...





No comments:

Post a Comment