A little gift to all the pentesters out there...
All versions of Windows Server from 2008 R2 to 2019 are prone to a DLL hijacking in the %PATH% directories.
Run as SYSTEM
No reboot required
Can be triggered by a normal user on demand
https://itm4n.github.io/windows-server-netman-dll-hijacking/ …pic.twitter.com/Zi9njmo9M6
-
-
I think there are a lot DLL hijacking bugs from %path%. But m$ says that this bugs are no vulns.
Anyway... Nice one.1 reply 0 retweets 0 likes -
Cool! Could you share the ones you found?
I've spent countless hours looking for this kind of "vuln" in services running as SYSTEM on a default installation and I only found a handful of them, and none on the latest Windows 10.
I must be really dumb.
2 replies 0 retweets 1 like -
I'd have to agree. Having a non-privileged-user-writable directory in a SYSTEM-wide PATH environment variable is a system misconfiguration. As such, the misconfiguration is the vulnerability. Not any particular vector through which to achieve the privesc. For example, Win10:pic.twitter.com/ukMK5uQzsL
1 reply 1 retweet 7 likes -
A very common misconfiguration
1 reply 0 retweets 1 like -
It's unfortunate that there are several apps that will perform this misconfiguration for you. Those app installers are CVE-worthy.
1 reply 0 retweets 2 likes -
What we need is a list of apps that add a non-admin-writable folder to system PATH, and get these fixed. I agree this isn't a vuln in Windows. So we all know Python is such an app, what are some others?
1 reply 0 retweets 3 likes -
I think Ruby and cygwin are also good examples...
1 reply 0 retweets 2 likes -
But they don't execute with high privs.
2 replies 0 retweets 0 likes
It doesn't matter if the app you installed executes with high privileges. If the installer configures a system in a way that allows a user to place a file on a SYSTEM-wide path, then the attacker wins.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.