EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327)

I brought a 4G modem from EE to browser internet when Iā€™m outside. Itā€™s a portable 4G WiFi mobile broadband modem as seen below.

You can find this 4G modem from these websites:

One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named ā€œAlcatel OSPREY3_MINI Modem Device Helperā€. I was wondering how this was installed, and then I figured that itā€™s my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.

[code language=”text” highlight=”8″]
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

[/code]

But you canā€™t directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the ā€œEE40ā€ folder and W00t! It had been set to ā€œEveryone:(OI)(CI)(F)ā€ which means any user can read, write, execute, create, delete do anything inside that folder and itā€™s subfolders. The ACL rules had OI ā€“ Object Inherit and CI ā€“ Container Inherit which means all the files in this folder and subfolders have full permissions.
(more…)

Haxing Minesweeper

Recently I tweeted a screenshot where I won the Minesweeper game by looking at the mine field from the memory. I posted this for no reason, just for fun since I was happy that I finally won this game. I used to play this game back in 2002 in Windows XP and I never won this game, I never even understood how this game works until today when I read how it really works šŸ˜€
[tweet https://twitter.com/OsandaMalith/status/975488775815094273]

In few minutes my notifications were flooded, I didnā€™t expect to get this much of likes. Some people asked me a tutorial on this. I thought of writing a very quick blog post on this. Pardon me if I missed anything.
(more…)

MySQL UDF Exploitation

Overview

In the real world, while I was pentesting a financial institute I came across a scenario where they had an internal intranet and it was using MySQL 5.7 64-bit as the backend database technology. Most of the time the I encounter MSSQL in most cooperate environments, but this was a rare case. I found SQL injection in the web application and I was able to dump the username and password from the mysql.user and I realized it had privileges to write files to disk. This lead me into writing a post and sharing techniques in injecting a UDF library to MySQL and gaining code execution and popping a shell in Windows. When I Googled most techniques are a bit vague when it comes to Windows. So, I thought of writing this post with my own research to clear things and make you understand few tricks you can use to do this manually.

I will be hosting the latest MySQL 5.7.21 latest community server by the time I am blogging this, in one machine. To reproduce the scenario, I am running the mysqld server with ā€˜–secure-file-priv=ā€™ parameter set to blank. In this scenario I was able to retrieve the username and password from the mysql.user table using a union based injection in the intranet. Note that in MySQL 5.7 and above the column ā€˜passwordā€™ doesnā€™t exists. They have changed it to ā€˜authentication_stringā€™.

# MySQL 5.6 and below
select host, user, password from mysql.user;
# MySQL 5.7 and above
select host, user, authentication_string from mysql.user;

Note that you can use the metasploitā€™s mysql_hashdump.rb auxiliary module to dump the MySQL hashes if you already have the credentials. By the time I am writing this blog post the script needed to be updated to extract in MySQL 5.7 you can check my pull request here

The host column for the user ā€˜osandaā€™ allows connections from 192.168.0.*, which means we can use this user for remote connections from that IP range. I cracked password hash and got the plain text password.
(more…)

Exploiting Format Strings in Windows

I thought of making a small challenge in exploiting format strings in Windows. This is how it looks, it asks for a filename to open. At first this might be a bit confusing. Thereā€™s no vulnerable functions in reading a file. You can see that our first argument to the program is echoed back in the program.

Letā€™s investigate this inside a debugger. As you can see if argc == 2 the application continues the flow and argv[1] is passed into that function highlighted.



(more…)

Beagle – Find vulnerabilities in your websites easily

I came across a new scanner named Beagle. This scanner really crawls fast compared to the other scanners I have experienced. It’s faster in detecting vulnerabilities. Takes less CPU power.

An example of reporting vulnerabilities, you can choose different formats. For example, this is in PDF. Check here for sample reports generated by Beagle.

Features

(more…)

Detecting Architecture in Windows

After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware

[code language=”C”]
xor eax,eax
mov ax,cs
shr eax,5
[/code]

I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.

Using ES

[code language=”C”]
; Author : @OsandaMalith
main:
xor eax,eax
mov ax,es
ror ax, 0x3
and eax,0x1
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit

thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION

exit:
invoke ExitProcess, 0

[/code]
(more…)

A Basic RSA Encrypter

This is a small post about implementing a basic RSA encrypter to encrypt sections in an exe. We can use this to exchange exes with people. We will encrypt the section using the public key and the user has to use his private key to decrypt the exe. This can be applied in evading anti-viruses too.
I will use multiplication instead of an exponent. Since it would be easy to implement in few lines in assembly. However, this will allow breaking the private key easily hence the complete scheme is broken.

[latexpage]Enc = (m*e) \text{ mod } N&bg=FFFFFF&s=1[/latexpage]

$latex Dec = (c*d) \text{ mod } N$

The correctness of this scheme depends on the fact that

$latex Dec(Enc(m)) = (m*e*d) \text{ mod } N = m \text{ mod } N&bg=FFFFFF&s=1$

(more…)

eLearnSecurity Courses

With the competitiveness of the infosec industry, security training is definitely needed. Let me share my story. Back in 2013 I heard about eLearnSecurity. Those days the only courses was Penetration Testing Professional and Penetration Testing Student. But I didnā€™t have enough money to sign up since I was 16 years old. With the pocket money I had, I signed up for the Penetration Testing Student course since I was curious about the material. I was amazed by their teaching techniques. Everything was so clearly written. After that I had to enter university and I had no time to concentrate on the things I like to do. Gradually eLearnSecurity started developing specialized courses starting from Web Application Penetration Testing and next came the Extreme edition of this. Meanwhile, they launched a course on reverse engineering too which I was really surprised to see that course since it was the first ever course I saw on reverse engineering.
(more…)

Windows Kernel Exploitation ā€“ Null Pointer Dereference

Today Iā€™m sharing on exploiting the null pointer dereference vulnerability present in the HackSysExtreme Vulnerable Driver.

The Vulnerability

You can view the source from here.
[code language=”C” highlight=”42,58,73″]
NTSTATUS TriggerNullPointerDereference(IN PVOID UserBuffer) {
ULONG UserValue = 0;
ULONG MagicValue = 0xBAD0B0B0;
NTSTATUS Status = STATUS_SUCCESS;
PNULL_POINTER_DEREFERENCE NullPointerDereference = NULL;

PAGED_CODE();

__try {
// Verify if the buffer resides in user mode
ProbeForRead(UserBuffer,
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)__alignof(NULL_POINTER_DEREFERENCE));

// Allocate Pool chunk
NullPointerDereference = (PNULL_POINTER_DEREFERENCE)
ExAllocatePoolWithTag(NonPagedPool,
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)POOL_TAG);

if (!NullPointerDereference) {
// Unable to allocate Pool chunk
DbgPrint("[-] Unable to allocate Pool chunk\n");

Status = STATUS_NO_MEMORY;
return Status;
}
else {
DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG));
DbgPrint("[+] Pool Type: %s\n", STRINGIFY(NonPagedPool));
DbgPrint("[+] Pool Size: 0x%X\n", sizeof(NULL_POINTER_DEREFERENCE));
DbgPrint("[+] Pool Chunk: 0x%p\n", NullPointerDereference);
}

// Get the value from user mode
UserValue = *(PULONG)UserBuffer;

DbgPrint("[+] UserValue: 0x%p\n", UserValue);
DbgPrint("[+] NullPointerDereference: 0x%p\n", NullPointerDereference);

// Validate the magic value
if (UserValue == MagicValue) {
NullPointerDereference->Value = UserValue;
NullPointerDereference->Callback = &NullPointerDereferenceObjectCallback;

DbgPrint("[+] NullPointerDereference->Value: 0x%p\n", NullPointerDereference->Value);
DbgPrint("[+] NullPointerDereference->Callback: 0x%p\n", NullPointerDereference->Callback);
}
else {
DbgPrint("[+] Freeing NullPointerDereference Object\n");
DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG));
DbgPrint("[+] Pool Chunk: 0x%p\n", NullPointerDereference);

// Free the allocated Pool chunk
ExFreePoolWithTag((PVOID)NullPointerDereference, (ULONG)POOL_TAG);

// Set to NULL to avoid dangling pointer
NullPointerDereference = NULL;
}

#ifdef SECURE
// Secure Note: This is secure because the developer is checking if
// ‘NullPointerDereference’ is not NULL before calling the callback function
if (NullPointerDereference) {
NullPointerDereference->Callback();
}
#else
DbgPrint("[+] Triggering Null Pointer Dereference\n");

// Vulnerability Note: This is a vanilla Null Pointer Dereference vulnerability
// because the developer is not validating if ‘NullPointerDereference’ is NULL
// before calling the callback function
NullPointerDereference->Callback();
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint("[-] Exception Code: 0x%X\n", Status);
}

return Status;
}
[/code]

As usual, everything is clearly explained in the source. At line 42 the ā€˜userValueā€™ is compared with the value ā€˜0xBAD0B0B0ā€™ and if it fails at line 58 the ā€˜NullPointerDereferenceā€™ value is set to NULL and at line 73 the value ā€˜NullPointerDereferenceā€™ is not validated whether itā€™s NULL before calling the callback function.

Letā€™s disassemble and see it closely. As you can see, if the provided ā€˜MagicValueā€™ is wrong the value of ā€˜NullPointerDereferenceā€™ is set to NULL to avoid the dangling pointer.
(more…)

Windows Kernel Exploitation – Arbitrary Overwrite

Today Iā€™m sharing what I learned on developing an exploit for the arbitrary overwrite vulnerability present in the HackSysExtreme Vulnerable Driver. This is also known as the ā€œwrite-what-whereā€ vulnerability. You can refer to my previous postĀ on exploiting the stack overflow vulnerability and the analysis of the shellcode.

The Vulnerability

You can check the source from here

[code language=”C” highlight=”37″]
NTSTATUS TriggerArbitraryOverwrite(IN PWRITE_WHAT_WHERE UserWriteWhatWhere) {
PULONG What = NULL;
PULONG Where = NULL;
NTSTATUS Status = STATUS_SUCCESS;

PAGED_CODE();

__try {
// Verify if the buffer resides in user mode
ProbeForRead((PVOID)UserWriteWhatWhere,
sizeof(WRITE_WHAT_WHERE),
(ULONG)__alignof(WRITE_WHAT_WHERE));

What = UserWriteWhatWhere->What;
Where = UserWriteWhatWhere->Where;

DbgPrint("[+] UserWriteWhatWhere: 0x%p\n", UserWriteWhatWhere);
DbgPrint("[+] WRITE_WHAT_WHERE Size: 0x%X\n", sizeof(WRITE_WHAT_WHERE));
DbgPrint("[+] UserWriteWhatWhere->What: 0x%p\n", What);
DbgPrint("[+] UserWriteWhatWhere->Where: 0x%p\n", Where);

#ifdef SECURE
// Secure Note: This is secure because the developer is properly validating if address
// pointed by ‘Where’ and ‘What’ value resides in User mode by calling ProbeForRead()
// routine before performing the write operation
ProbeForRead((PVOID)Where, sizeof(PULONG), (ULONG)__alignof(PULONG));
ProbeForRead((PVOID)What, sizeof(PULONG), (ULONG)__alignof(PULONG));

*(Where) = *(What);
#else
DbgPrint("[+] Triggering Arbitrary Overwrite\n");

// Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability
// because the developer is writing the value pointed by ‘What’ to memory location
// pointed by ‘Where’ without properly validating if the values pointed by ‘Where’
// and ‘What’ resides in User mode
*(Where) = *(What);
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint("[-] Exception Code: 0x%X\n", Status);
}

return Status;
}
[/code]

Everything is well explained in the source code. Basically the ā€˜whereā€™ and ā€˜whatā€™ pointers are not validated whether they are located in userland. Due to this we can overwrite an arbitrary kernel address with an arbitrary value.
(more…)