EOPRadar - Privilege escalation vulnerability scanner

Discussion in 'other anti-malware software' started by svenfaw, Jul 30, 2018.

  1. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    Use this new tool to check your system for several classes of privilege escalation vulnerabilities.

    Useful in pentesting engagements, OS image hardening, SRP/AppLocker testing.

    E_screen.png

    version 1.02 (Beta) - x64 build only - for Win 7 and above.

    The current version is freely available. Use at your own risk.


    Quick start

    1. Note that the tool must be launched as a standard user account (SUA) - not an administrator.

    2. Launch the application and click Scan.

    3. In the scan results, a warning (yellow) indicates a writable process path, while an alert (red) indicates a critical EOP vulnerability, which would allow any standard user to elevate privileges to administrator. Any findings in red should be taken very seriously, especially in a AD domain environment.

    4. Based on the results, review and fix your NTFS permissions for the affected processes. Remember, SUA-writable paths should not be executable, and vice versa.


    Homepage: http://www.trustprobe.com/fs1/apps.html

    SHA256 hash for v1.02: 83d14b3927a69c0e4b12a0c11009ef16261f3ad717561040a0f9e2c1f7b2347c
     
    Last edited: Aug 4, 2018
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Well, I can't even get it to run because of this....

    ee.jpg
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Are you using SUA?
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Nope. Nada.

    Which confirms this. Oh well. Looked to might be useful even for a Admin. Some are, some are not. Nice program though for a new Beta.

     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Don't understand how to apply this axiom.
    I have an app called Toggldesktop, it most unfortunately will run only from Appdata.
    EOPRadar paints it yellow.
    If I make this writable path to be unexecutable, how will I launch the program?
    In order to work, toggldesktop spawns a sub-process of itself (sort of like Chrome, I guess) and I think it also wants to run its updater every once in a while. (Not sure how the updater is triggered, I don't see it in scheduled tasks, so I am guessing that the main process launches it.)
     
  6. guest

    guest Guest

    Informative tool
     
  7. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    Applications running from Appdata are always a problem from a security point of view. Fortunately, such applications are rare nowadays. If this particular app does not write its settings to the same folder as the executable, one workaround would be to make the path non-writable (to SUA) after installation.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Unfortunately, there are devs who think it is more convenient for their program to run from appdata.
    For instance, I recently complained to Toggl support about the appdata issue, and they answered that they wanted workers who were put on limited user accounts by their local IT to be able to easily install the app.
    This is probably the reason why the desktop Slack app installs by default in appdata.
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    Immagine.jpg

    The scanner is run on my daughter's PC.
    Pop-man for her is untouchable.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    One of the best examples of an app that runs from %LocalAppdata%\Temp is Process Explorer.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I get the same thing when running via Sandboxie.
     
  12. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    New version released: 1.04

    New item type: System path element
    This checks for directories vulnerable to privilege escalation in the system environment path.

    More item types are in the pipeline.
     
  13. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
  14. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    The fact that they are in your system's environment path but no longer physically exist is what causes the vulnerability.
    A non-privileged attacker can recreate these folders and use them to perform a DLL hijacking attack to gain admin access.
    This is a serious vulnerability, and the fix is to remove these entries from your path environment variable.
     
  15. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    New beta version released: 1.06

    • Enhanced detection capability.
    • Most scans should complete within 10 seconds.
    Some documentation is in the pipeline, but in the meantime, if anything's unclear, just post here for help. (Remember to mention your OS version and any context information that might be relevant)
     
    Last edited: Aug 15, 2018
  16. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    This is my latest scan with EOPRadar after fixing as many holes as I could https://i.lensdump.com/i/8arGpr.png

    The dangling references remain, even though I've supposedly removed them from the environment variables, they're no longer there yet they show in EOPRadar?

    Also, what does Hijackable mean and how do I fix it?

    What's the difference between EOPRadar and using accesschk when it comes to the "Writable" category? I see EOPRadar scans only executable paths, I guess it searches for .exe files in a folder and then checks it, or like how does it work? On my system drive C: , EOPRadar scanned Program Files, Program Files x86, Utilities which is my custom folder, ProgramData, Riot Games, Fraps and xampp folders. Didn't scan user folder (C:\Users\X), didn't scan Windows folder, missed other root folders in C: too. At least I suppose they weren't scanned since none of those folders show under any result, Safe or other. Also, when it comes to Writable, which groups does EOPRadar scan for if they have Write permissions (I'd imagine it checks for all of these: Create files/write data | Create folders/append data | Write attributes | Write extended attributes | Delete subfolders and files | Delete | Change permissions | Take ownership) ? Does it check Users, Everyone, Authenticated Users, Interactive? Does it check other groups like CREATOR OWNER or ALL APPLICATION PACKAGES etc. ? Does it check for specific users, like just 1 user having permissions? And another important thing, EOPRadar doesn't seem to check for file/folder owner. So, user X might have only (effective access) Read and execute permissions for a folder (Traverse folder/execute file | List folder/read data | Read attributes | Read extended attributes | Read permissions), but if he's the owner of the folder, he always has Read and Change Permissions which means he can then give himself Full Control over the folder and remove any Deny permissions for that folder that might be stopping him from getting Full Control with just Allow permissions, effectively bypassing the Read and execute permissions that he was given which equals vulnerabilities I'd imagine
     
  17. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    Thanks for your detailed feedback.

    A reboot should make the system path changes effective, can you try that? If still not OK, could you specify your OS version?

    As for your last point on checking file/folder owner: this should already be the case, but I've just discovered a bug preventing this from working correctly in the current version. I've already fixed this in the next update (available soon).

    I unfortunately won't have enough time to respond to the other points now, but will see if I can do so in the next few days.
     
    Last edited: Aug 16, 2018
  18. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    New beta version released: 1.07

    • Enhanced detection: scan for vulnerable service / driver registry keys
     
  19. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    That was a long journey, but after all the Authenticated Users, CREATOR OWNER and INTERACTIVE mess that was the folder permissions, I've finally fixed everything: https://i.lensdump.com/i/8hJFWb.png , asides from the dangling references which I still think EOPRadar is bugged about

    Steam certainly doesn't like it - https://i.lensdump.com/i/8hJPNT.png , and battle.net agent as well as all battle.net games require admin rights (write permissions which only admin has) to update but it's not that big of deal, the games may run fine otherwise, luckily I play fortnite now so it's whatever for me

    Also, I found some interesting stuff about privilege escalation that may be included in EOPRadar - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
     
  20. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    To further investigate, can you open a command prompt and post the output of "set PATH" (removing any sensitive information first)?

    I'm well aware of the techniques discussed in this article, but some of those techniques are no longer a real threat on modern Windows versions. The scanner aims to focus on the stuff that is most likely to be seen in the wild.
     
    Last edited: Aug 23, 2018
  21. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Lol nvm, turns out all I had to do was to expand the path variable with the Edit button :D
     
  22. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    The homepage says it is version 1.06. Is this wrong or was there some issue with 1.07?
     
  23. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Yes, it's wrong. I remember when version 1.07 was released and I downloaded it, that the EOPRadar.exe file was bigger than the 1.06 version one, and it detected new things, so it's just that the dev forgot to change the 1.06 to 1.07 on the website. I also noticed this, seems like I've forgotten to mention it and then I never came upon it ever again, good find bro :thumb:
     
  24. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Ok. Thanks.

    Decided to download and it was indeed version 1.07
     
  25. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    Just released: 1.08 (more item types scanned + minor enhancements)

    Version information on the website is now correct ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.