Steam Code Execution – Privilege Escalation to SYSTEM (Part 2) – codeinsecurity
source link: https://codeinsecurity.wordpress.com/2013/10/11/steam-code-execution-privilege-escalation-to-system/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Steam Code Execution – Privilege Escalation to SYSTEM (Part 2)
In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted last night’s blog post at 1am, tired as hell, and in my sleep-deprived state I completely neglected to update it properly, and there are several mistakes and bits of missing information. The draft went out and confused a lot of people. So, for that, I apologise. I’m going to leave it there so people can see it, because it’ll remind me not to do that next time.
Now, onto the real impact of the vulnerability: I can leverage it to gain code execution as SYSTEM. How? Well, it turns out that Steam.exe gives itself one unusual privilege – the privilege to debug other processes. This is called SeDebugPrivilege and one of its features is that it allows the process to bypass access control lists (ACLs) on processes when you call OpenProcess, i.e. the process can open a handle to any process it likes, with any privilege it likes.
Here’s how you can elevate to SYSTEM when you have SeDebugPrivilege:
- Open a handle to a process that is running as SYSTEM, with
PROCESS_ALL_ACCESSas the access flag. - Use
VirtualAllocExto allocate a block of memory in the remote process, with the executable flag set. - Use
WriteProcessMemoryto copy a block of shellcode into that memory buffer. - Use
CreateRemoteThreadto create a new thread in the remote process, whose start address is the base address of the memory allocation. - Bingo! You just got a privesc to SYSTEM.
In this case, once you’ve got code execution inside Steam, you can utilise this trick to escalate yourself to SYSTEM. There’s your privesc vuln.
Recommend
-
76
-
65
-
105
README.md Sudohulk This tool change sudo command, hooking the execve syscall using ptrace, tested under bash and zsh supported architectures: x86_64 x86
-
57
README.md BeRoot Project BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. It has been added to the
-
94
README.md Active Directory Assessment and Privilege Escalation Script
-
75
tl;dr gVisor is Google’s sandboxing technology for containers running less-than-fully-trusted code. It’s a Golang reimplementation of the Linux kernel that runs in usersp...
-
80
README.md dirty_sock: Privilege Escalation in Ubuntu (via snapd) In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local...
-
71
README.md uptux Privilege escalation checks for Linux systemd. This tool checks for issues on Linux systems that may lead to privilege escalatio...
-
53
With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of...
-
39
README.md [Linux] Privilege Escalation by injecting process possessing sudo tokens Inject process that have valid sudo token and activate our own sudo...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK