The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH...
Transcript of The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH...
![Page 1: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/1.jpg)
The�$env:PATH less�Traveled�is�Full�of�Easy�Privilege�Escalation�Vulns
![Page 2: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/2.jpg)
Bio
� Security�Researcher/Tester�(Harris�Corp)� Former�Army�Red�Team�Operator� One�of�the�developers�of�PowerSploit� Twitter:�@obscuresec� Blog:�www.obscuresec.com
![Page 3: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/3.jpg)
![Page 4: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/4.jpg)
Sucks�a�lot�less�now…
![Page 5: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/5.jpg)
Getting�even�better…
� OneGet� Chocolatey�Nuget� PSGet
� All�of�these�utilities�are�great�for:± Simplifying�3rdͲparty�patching± Researching�vulnerabilities± CTF�builders
![Page 6: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/6.jpg)
OneGet
� “OneGet is�a�new�way�to�discover�and�install�software�packages�from�around�the�web.”
� It�lets�you�“seamlessly�install�and�uninstall�packages�from�one�or�more�repositories�with�a�single�PowerShell�command.”
� OneGet will�ship�with�PowerShell�v5� Pointed�to�Chocolatey�Repo�by�default� https://github.com/OneGet/oneget
![Page 7: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/7.jpg)
Chocolatey�Nuget
� Package�manager�and�repo�server�with�almost�4�million�downloads
� Over�30�contributors� Microsoft�“supported”�openͲsource�project� https://chocolatey.org/
![Page 8: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/8.jpg)
PSGet
![Page 9: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/9.jpg)
Security�Review
� Requested�to�do�a�review� Started�with�one�VM
± Tried�to�install�1800�chocolatey packages
![Page 10: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/10.jpg)
Well�there’s�your�first�problem…
![Page 11: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/11.jpg)
Security�Review�(continued)
� Created�25�Windows�7/8�VMs± Scripted�installation�across�them± Still�2�blue�screens�after�rebooting
� Scripted�submitting�hashes�to�VirusTotal± 100�“new”�hashes�± 31�packages�with�detections
![Page 12: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/12.jpg)
Privilege�Escalation
� Used�the�opportunity�to�write�a�new�tool± looked�for�common�privilege�escalation�vulns
� %PATH%Ͳbased� File�permission�based� Service�permission�based� DllͲpreloading
± Found�a�bunch�and�could�tune�with�the�VMs� Disclosure�sucks� Most�were�applications�that�I�had�never�heard�of
![Page 13: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/13.jpg)
Repository�Servers
� Must�be�trusted� Chocolatey�repository�is�the�most�popular
± Allows�contributions�from�nonͲdevelopers±Must�be�enabled�in�OneGet
� The�package�managers�inherit�vulnerabilities�from�the�repo�server
![Page 14: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/14.jpg)
Chocolatey�Packages
![Page 15: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/15.jpg)
The�$env:PATH
![Page 16: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/16.jpg)
PSv3�uses�the�PATH…
![Page 17: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/17.jpg)
So�a�user�can…
![Page 18: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/18.jpg)
I�see�what�you�did�there…
![Page 19: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/19.jpg)
Before�the�fix…
![Page 20: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/20.jpg)
Demo�Time
![Page 21: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/21.jpg)
Thanks
� Matt�Graeber� Joe�Bialek� Will�Schroeder� Will�Peteroy� Lee�Holmes� Many�others…
![Page 22: The $env:PATH less Traveled is Full of Easy Privilege ... · Matt Graeber Joe Bialek Will ... PATH less Traveled is Full of Easy Privilege Escalation Vulns, ... DEF CON, Hacker, Security](https://reader031.fdocuments.in/reader031/viewer/2022022516/5b0308467f8b9aba168b4d0d/html5/thumbnails/22.jpg)
Questions?