EOPRadar - Privilege escalation vulnerability scanner

Using version 1.08 now, I've got a few questions:

1) Since when did .log files become dangerous and executable files?
2) Another dangling reference, but this time it's invisible, seems like EOPRadar has upped its game: https://i.lensdump.com/i/AipxgA.png
3) What defines a file as Admin-owned? There are files whose owner is a limited user local account (not administrator, but a standard account) that are not marked as admin-owned but are marked as user-writable, as they should be, and other files marked as BOTH admin-owned and user-writable whose owner is the same STANDARD/LIMITED user account??? WHAT'S HAPPENING HERE???
4) Ok now, what is this black magic thing going on here? Can you be a bit more precise than "critical"? This file is just like every other one on the ERP results list, permission and ownership-wise: https://i.lensdump.com/i/Ai7jcc.png

 

1) the .log files detected by EOPRadar are potentially dangerous because of their permissions, not their content.
Even if they are just plain text, unsafe ACLs on log files (or their parent folders) created by elevated processes can enable a so-called Symbolic Link Attack, which can often lead to privilege escalation.
2) That might be a bug. Will look into it.
3) A file is also marked as admin-owned if its parent folder is. Again, this can lead to privilege escalation.
I admit the scan results are a little ambiguous in this case and will try to address that in a further release.
4) This normally means that the file was created by an elevated persistent (ie, auto-starting) process, which often makes privilege escalation trivial to achieve.

I'm afraid I can't answer in more detail, but if you need more information, Google is your friend

 

So essentially, what you're trying to say, is that, well obviously, a non-escalated entity can swap the log files with malicious ones, since the logs' permissions aren't properly set, and THEN the program using those logs will do something bad (malicious?) based on the information that it read from the malicious swapped log file? At least that's what I understood, according to slide 8 of this presentation that I found https://www.slideshare.net/OWASPdelhi/abusing-symlinks-on-windows

Ok, so I kinda understood the last one, but I don't really understand this one. So what if the target file is admin-owned (either through its own owner or its parent folder's owner), what does that matter? I thought the goal was to prevent privilege escalation, how would the bad entity abuse the admin-owned files when it doesn't have admin rights itself? Also, if Folder 1 contains Folder 2, and Folder 2 contains a file, and neither the file nor Folder 2 are admin-owned, but Folder 1 is admin-owned, does ERPRadar then mark that file as admin-owned? I mean like did you implement that? And ofc it can extend to folder 3 folder 4 etc. until it reaches the drive permissions

 

I can't start the tool as default Win10 x64 Pro user with maximum UAC, which is a standard (non-admin) user.
Rules via secpol exist, but the tool is started from a allowed path.

 

Could you post the exact error message?

 

Sure: https://framapic.org/X053j9DHBD2h/8gGUh3tCB7fX.png

 

To verify what may be causing this, could you open a cmd prompt and post the output of the following command:

whoami /groups

Also, is your OS language English? There are a few known issues with EOPRadar on international editions of Windows.

 

whoami output:

Code:

GRUPPENINFORMATIONEN
--------------------

Gruppenname                                                          Typ             SID          Attribute             
==================================================================== =============== ============ ===============================================================
Jeder                                                                Bekannte Gruppe S-1-1-0      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Lokales Konto und Mitglied der Gruppe "Administratoren" Bekannte Gruppe S-1-5-114    Gruppen, die nur zum Ablehnen verwendet wird
VORDEFINIERT\Administratoren                                         Alias           S-1-5-32-544 Gruppen, die nur zum Ablehnen verwendet wird
VORDEFINIERT\Benutzer                                                Alias           S-1-5-32-545 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\INTERAKTIV                                              Bekannte Gruppe S-1-5-4      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
KONSOLENANMELDUNG                                                    Bekannte Gruppe S-1-2-1      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Authentifizierte Benutzer                               Bekannte Gruppe S-1-5-11     Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Diese Organisation                                      Bekannte Gruppe S-1-5-15     Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Lokales Konto                                           Bekannte Gruppe S-1-5-113    Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
LOKAL                                                                Bekannte Gruppe S-1-2-0      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\NTLM-Authentifizierung                                  Bekannte Gruppe S-1-5-64-10  Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
Verbindliche Beschriftung\Mittlere Verbindlichkeitsstufe             Bezeichnung     S-1-16-8192

OS language is German

 

Binary file is only 0KB: https://www.trustprobe.com/fs1/download.php?appname=EOPRadar.exe

 

Now Windows (10) Defender block the whole site and i can't open any trustprobe.com sites.
Don't know where i can add a whitelist. Maybe you need to contact them

 

Strange, I'm not seeing this. If possible can you post a screenshot of any error messages?

 

Sure: https://framapic.org/C6Y7mNfTjdAb/9UEN0ZmolDzp

It's because Windows Defender Network protection but wasn't the case days before.
More infos about this protection:
https://www.ghacks.net/2017/10/26/configure-windows-defender-network-protection-in-windows-10/
https://demo.wd.microsoft.com/Page/NP

 

@svenfaw

I got 14 red flags after scanning, what to do with these files flagged ?

I would need to change the permissions, right ? Could you give an example ?

 

Ummmm...



I did look around for a different hash.

 

8f06377392b98fb4e1493e48ca53d9c7010792aad2b3a42499b1e32f4edcd4a6 is the correct hash for the current release (1.08.001).

83d14b3927a69c0e4b12a0c11009ef16261f3ad717561040a0f9e2c1f7b2347c was the hash for v1.02. Unfortunately I could not update the top post, as I no longer have editing rights on it.

Thanks for asking, and sorry for the confusion.

Please note I am currently unable to offer support on using this tool, but perhaps other forum members will be able to help.

 

Hokaaaayyy... About Permissions... Unfortunately I cannot unsee EOPRadar's output and it looks like the fix is in permissions. And I know very little on this subject, except that I can screw myself comprehensively if I get it wrong.



Fixing escalation vulnerability is definitely a second-tier security layer, in case anything does get past my first-tier.

Right. Win7 HP x64 SP1.

For starters, I have an Admin account, and some SUAs/LUAs. Secure Logon is enabled. All softs have been installed from Admin except a very few which needed to be for a particular account only. Some executables, like for instance EOPRadar have been simply dropped into a folder and Windows has asked if I would kindly give it the UAC password. So I guess those also count as "installed from Admin."

On top of that, a lot of my programs are legacy, they are not certified for Vista++ and thus do not support UAC.

The only person who uses Admin is myself, and then only to accomodate upgrades (Flash/Java) and new installs (KBs etc). All SUAs have SuRun enabled to allow SUA context when elevating to Admin.

So, what do I need to do to make all of the red lines go at least to yellow or preferably green? That is, achieve the mantra "SUA-writable paths should not be executable, and vice versa"?

For what it's worth, Program Data and all %LocalAppData%/Temp have been locked down with a silent execution block.

I have seen one idea, that I create a new entity with a strong password which will do nothing except be a permission/rights holder, then use that to take ownership. But I don't see how to allow these programs to write to their own folders/files and also keep them safe from a privilege attack.

 

Don't sweat it, just update your system and browser, don't download random stuff and you're not gonna get malware, you have to be REALLY trying in order for that to happen. This software is more like scareware than anything

"Oh no, I have some red entries, they're gonna hack me"

 

Useful in pentesting engagements, OS image hardening, SRP/AppLocker testing.

Just to clarify, the primary audience of this tool would be pentesters, security-oriented developers, auditors and other categories of security professionals.
Home users would typically see less value in using this tool.

 

@svenfaw
Why don't you give any support here ? Are you here only to promote yours softwares ?
https://www.wilderssecurity.com/thr...nerability-scanner.406671/page-2#post-2833242

 

Read the topic and you'll know how to fix it

 

I got a 0 byte file if i try to download http://www.trustprobe.com/fs1/download.php?appname=EOPRadar.exe or https://www.trustprobe.com/fs1/download.php?appname=EOPRadar.exe

 

Still not fixed.
Your website now only tell:

Also you're site need HTTP to HTTPS redirect

 

just an INFO, i cant download anything from your site.. I wanted to DOwnload and test DNSGlass but everything i download is "0" byte.. i tested with 3 browsers, different DNS Servers and from an Friends PC also.. wich all had teh same result.. "0" byte FIles downloaded..

thought i just mention it..

Best Regards