+ All Categories
Home > Documents > The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH...

The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH...

Date post: 22-May-2018
Category:

Documents
Upload: haminh
View: 215 times
Download: 1 times
Download Report this document
Share this document with a friend
22
The $env:PATH less Traveled is Full of Easy Privilege Escalation Vulns
Transcript
Page 1: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

The�$env:PATH less�Traveled�is�Full�of�Easy�Privilege�Escalation�Vulns

Page 2: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Bio

� Security�Researcher/Tester�(Harris�Corp)� Former�Army�Red�Team�Operator� One�of�the�developers�of�PowerSploit� Twitter:�@obscuresec� Blog:�www.obscuresec.com

Page 3: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security
Page 4: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Sucks�a�lot�less�now…

Page 5: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Getting�even�better…

� OneGet� Chocolatey�Nuget� PSGet

� All�of�these�utilities�are�great�for:± Simplifying�3rdͲparty�patching± Researching�vulnerabilities± CTF�builders

Page 6: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

OneGet

� “OneGet is�a�new�way�to�discover�and�install�software�packages�from�around�the�web.”

� It�lets�you�“seamlessly�install�and�uninstall�packages�from�one�or�more�repositories�with�a�single�PowerShell�command.”

� OneGet will�ship�with�PowerShell�v5� Pointed�to�Chocolatey�Repo�by�default� https://github.com/OneGet/oneget

Page 7: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Chocolatey�Nuget

� Package�manager�and�repo�server�with�almost�4�million�downloads

� Over�30�contributors� Microsoft�“supported”�openͲsource�project� https://chocolatey.org/

Page 8: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

PSGet

Page 9: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Security�Review

� Requested�to�do�a�review� Started�with�one�VM

± Tried�to�install�1800�chocolatey packages

Page 10: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Well�there’s�your�first�problem…

Page 11: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Security�Review�(continued)

� Created�25�Windows�7/8�VMs± Scripted�installation�across�them± Still�2�blue�screens�after�rebooting

� Scripted�submitting�hashes�to�VirusTotal± 100�“new”�hashes�± 31�packages�with�detections

Page 12: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Privilege�Escalation

� Used�the�opportunity�to�write�a�new�tool± looked�for�common�privilege�escalation�vulns

� %PATH%Ͳbased� File�permission�based� Service�permission�based� DllͲpreloading

± Found�a�bunch�and�could�tune�with�the�VMs� Disclosure�sucks� Most�were�applications�that�I�had�never�heard�of

Page 13: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Repository�Servers

� Must�be�trusted� Chocolatey�repository�is�the�most�popular

± Allows�contributions�from�nonͲdevelopers±Must�be�enabled�in�OneGet

� The�package�managers�inherit�vulnerabilities�from�the�repo�server

Page 14: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Chocolatey�Packages

Page 15: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

The�$env:PATH

Page 16: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

PSv3�uses�the�PATH…

Page 17: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

So�a�user�can…

Page 18: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

I�see�what�you�did�there…

Page 19: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Before�the�fix…

Page 20: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Demo�Time

Page 21: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Thanks

� Matt�Graeber� Joe�Bialek� Will�Schroeder� Will�Peteroy� Lee�Holmes� Many�others…

Page 22: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security

Questions?


Recommended
Road Less Traveled

Road Less Traveled

Education

"The Road Less Traveled"

"The Road Less Traveled"

Documents

Erik Cabetas An Overview of Interpreted Language Vulns.

Erik Cabetas An Overview of Interpreted Language Vulns.

Documents

Rooting your internals - Exploiting Internal Network Vulns via the Browser Using BeEF Bind

Rooting your internals - Exploiting Internal Network Vulns via the Browser Using BeEF Bind

Technology

Lawful Hacking: Wiretapping via Internet Vulns

Lawful Hacking: Wiretapping via Internet Vulns

Documents

Backpacking Guide for the Less Traveled Trails€¦  · Web viewLess Traveled Trails, LLC. Santa Fe, NM. Less Traveled Trails, LLC. Santa Fe, NM. Less Traveled Trails, LLC. Santa

Backpacking Guide for the Less Traveled Trails€¦  · Web viewLess Traveled Trails, LLC. Santa Fe, NM. Less Traveled Trails, LLC. Santa Fe, NM. Less Traveled Trails, LLC. Santa

Documents

Speed is the distance traveled divided by time. Speed= distance traveled/time taken.

Speed is the distance traveled divided by time. Speed= distance traveled/time taken.

Documents

Rios (2013) medical device vulns

Rios (2013) medical device vulns

Business

A Road Rarely Traveled

A Road Rarely Traveled

Documents

ATTORNEY -CLIENT PRIVILEGE Confidential information AC Privilege rev.pdfattorney-client privilege, which include: Death of a Client – Traditional rule is that privilege survives

ATTORNEY -CLIENT PRIVILEGE Confidential information AC Privilege rev.pdfattorney-client privilege, which include: Death of a Client – Traditional rule is that privilege survives

Documents

Security mgt track turner-aaron-11am-.issa-la.mobile vulns.150529

Security mgt track turner-aaron-11am-.issa-la.mobile vulns.150529

Technology

20191025 - Windows Privilege Escalation Tricks€¦ · privilege escalation –There are FAR more misconfigurations than vulns –Vulns will be detected and patched by Nessus, Nexpose,

20191025 - Windows Privilege Escalation Tricks€¦ · privilege escalation –There are FAR more misconfigurations than vulns –Vulns will be detected and patched by Nessus, Nexpose,

Documents

THE UNFORTUNATE REALITY OF INSECURE LIBRARIES OWASP Libraries.pdf · What’s More Secure: Vulns or No Vulns? Library A Library B CVE-2007-1234 OSVDB 12345 OSVDB 31337 CVE-2009-5678

THE UNFORTUNATE REALITY OF INSECURE LIBRARIES OWASP Libraries.pdf · What’s More Secure: Vulns or No Vulns? Library A Library B CVE-2007-1234 OSVDB 12345 OSVDB 31337 CVE-2009-5678

Documents

Our Road Traveled

Our Road Traveled

Lifestyle

Exploiting Internal Network Vulns via the Browser Using ...€¦ · Exploiting Internal Network Vulns via the Browser Using BeEF Bind Michele Orru Ty Miller RuxCon 2012. Ty Miller

Exploiting Internal Network Vulns via the Browser Using ...€¦ · Exploiting Internal Network Vulns via the Browser Using BeEF Bind Michele Orru Ty Miller RuxCon 2012. Ty Miller

Documents

Places I Have Traveled

Places I Have Traveled

Travel

Roads Less Traveled

Roads Less Traveled

Documents

Legal professional privilege. A review of law and …content.linklaters.com/pdfs/pdfns/Linklaters_Privilege_comparative... · Legal professional privilege. ... however, privilege

Legal professional privilege. A review of law and …content.linklaters.com/pdfs/pdfns/Linklaters_Privilege_comparative... · Legal professional privilege. ... however, privilege

Documents