EOPRadar - Privilege escalation vulnerability scanner

Discussion in 'other anti-malware software' started by svenfaw, Jul 30, 2018.

  1. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Using version 1.08 now, I've got a few questions:

    1) Since when did .log files become dangerous and executable files?
    2) Another dangling reference, but this time it's invisible, seems like EOPRadar has upped its game: https://i.lensdump.com/i/AipxgA.png
    3) What defines a file as Admin-owned? There are files whose owner is a limited user local account (not administrator, but a standard account) that are not marked as admin-owned but are marked as user-writable, as they should be, and other files marked as BOTH admin-owned and user-writable whose owner is the same STANDARD/LIMITED user account??? WHAT'S HAPPENING HERE???
    4) Ok now, what is this black magic thing going on here? Can you be a bit more precise than "critical"? This file is just like every other one on the ERP results list, permission and ownership-wise: https://i.lensdump.com/i/Ai7jcc.png
     
  2. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    246


    1) the .log files detected by EOPRadar are potentially dangerous because of their permissions, not their content.
    Even if they are just plain text, unsafe ACLs on log files (or their parent folders) created by elevated processes can enable a so-called Symbolic Link Attack, which can often lead to privilege escalation.
    2) That might be a bug. Will look into it.
    3) A file is also marked as admin-owned if its parent folder is. Again, this can lead to privilege escalation.
    I admit the scan results are a little ambiguous in this case and will try to address that in a further release.
    4) This normally means that the file was created by an elevated persistent (ie, auto-starting) process, which often makes privilege escalation trivial to achieve.

    I'm afraid I can't answer in more detail, but if you need more information, Google is your friend :)
     
    Last edited: Sep 11, 2018
  3. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    So essentially, what you're trying to say, is that, well obviously, a non-escalated entity can swap the log files with malicious ones, since the logs' permissions aren't properly set, and THEN the program using those logs will do something bad (malicious?) based on the information that it read from the malicious swapped log file? At least that's what I understood, according to slide 8 of this presentation that I found https://www.slideshare.net/OWASPdelhi/abusing-symlinks-on-windows

    Ok, so I kinda understood the last one, but I don't really understand this one. So what if the target file is admin-owned (either through its own owner or its parent folder's owner), what does that matter? I thought the goal was to prevent privilege escalation, how would the bad entity abuse the admin-owned files when it doesn't have admin rights itself? Also, if Folder 1 contains Folder 2, and Folder 2 contains a file, and neither the file nor Folder 2 are admin-owned, but Folder 1 is admin-owned, does ERPRadar then mark that file as admin-owned? I mean like did you implement that? And ofc it can extend to folder 3 folder 4 etc. until it reaches the drive permissions
     
  4. itsmeWario

    itsmeWario Guest

    I can't start the tool as default Win10 x64 Pro user with maximum UAC, which is a standard (non-admin) user.
    Rules via secpol exist, but the tool is started from a allowed path.
     
  5. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    246
    Could you post the exact error message?
     
  6. itsmeWario

    itsmeWario Guest

  7. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    246
    To verify what may be causing this, could you open a cmd prompt and post the output of the following command:

    whoami /groups

    Also, is your OS language English? There are a few known issues with EOPRadar on international editions of Windows.
     
  8. itsmeWario

    itsmeWario Guest

    whoami output:
    Code:
    GRUPPENINFORMATIONEN
    --------------------
    
    Gruppenname                                                          Typ             SID          Attribute             
    ==================================================================== =============== ============ ===============================================================
    Jeder                                                                Bekannte Gruppe S-1-1-0      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    NT-AUTORITÄT\Lokales Konto und Mitglied der Gruppe "Administratoren" Bekannte Gruppe S-1-5-114    Gruppen, die nur zum Ablehnen verwendet wird
    VORDEFINIERT\Administratoren                                         Alias           S-1-5-32-544 Gruppen, die nur zum Ablehnen verwendet wird
    VORDEFINIERT\Benutzer                                                Alias           S-1-5-32-545 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    NT-AUTORITÄT\INTERAKTIV                                              Bekannte Gruppe S-1-5-4      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    KONSOLENANMELDUNG                                                    Bekannte Gruppe S-1-2-1      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    NT-AUTORITÄT\Authentifizierte Benutzer                               Bekannte Gruppe S-1-5-11     Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    NT-AUTORITÄT\Diese Organisation                                      Bekannte Gruppe S-1-5-15     Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    NT-AUTORITÄT\Lokales Konto                                           Bekannte Gruppe S-1-5-113    Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    LOKAL                                                                Bekannte Gruppe S-1-2-0      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    NT-AUTORITÄT\NTLM-Authentifizierung                                  Bekannte Gruppe S-1-5-64-10  Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
    Verbindliche Beschriftung\Mittlere Verbindlichkeitsstufe             Bezeichnung     S-1-16-8192
    OS language is German
     
  9. itsmeWario

    itsmeWario Guest

    Binary file is only 0KB: https://www.trustprobe.com/fs1/download.php?appname=EOPRadar.exe
     
    Last edited by a moderator: Dec 29, 2018
  10. itsmeWario

    itsmeWario Guest

    Now Windows (10) Defender block the whole site and i can't open any trustprobe.com sites.
    Don't know where i can add a whitelist. Maybe you need to contact them
     
  11. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    246
    Strange, I'm not seeing this. If possible can you post a screenshot of any error messages?
     
  12. itsmeWario

    itsmeWario Guest

  13. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    697
    Location:
    Europe
    @svenfaw

    I got 14 red flags after scanning, what to do with these files flagged ?

    I would need to change the permissions, right ? Could you give an example ?
     

    Attached Files:

  14. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    157
    Location:
    West Oz
    Ummmm...

    HashVerifier.png

    I did look around for a different hash.
     
  15. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    246
    8f06377392b98fb4e1493e48ca53d9c7010792aad2b3a42499b1e32f4edcd4a6 is the correct hash for the current release (1.08.001).

    83d14b3927a69c0e4b12a0c11009ef16261f3ad717561040a0f9e2c1f7b2347c was the hash for v1.02. Unfortunately I could not update the top post, as I no longer have editing rights on it.

    Thanks for asking, and sorry for the confusion.

    Please note I am currently unable to offer support on using this tool, but perhaps other forum members will be able to help.
     
  16. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    157
    Location:
    West Oz
    Hokaaaayyy... About Permissions... Unfortunately I cannot unsee EOPRadar's output :( and it looks like the fix is in permissions. And I know very little on this subject, except that I can screw myself comprehensively if I get it wrong.

    EOPRadar.png

    Fixing escalation vulnerability is definitely a second-tier security layer, in case anything does get past my first-tier.

    Right. Win7 HP x64 SP1.

    For starters, I have an Admin account, and some SUAs/LUAs. Secure Logon is enabled. All softs have been installed from Admin except a very few which needed to be for a particular account only. Some executables, like for instance EOPRadar have been simply dropped into a folder and Windows has asked if I would kindly give it the UAC password. So I guess those also count as "installed from Admin."

    On top of that, a lot of my programs are legacy, they are not certified for Vista++ and thus do not support UAC.

    The only person who uses Admin is myself, and then only to accomodate upgrades (Flash/Java) and new installs (KBs etc). All SUAs have SuRun enabled to allow SUA context when elevating to Admin.

    So, what do I need to do to make all of the red lines go at least to yellow or preferably green? That is, achieve the mantra "SUA-writable paths should not be executable, and vice versa"?

    For what it's worth, Program Data and all %LocalAppData%/Temp have been locked down with a silent execution block.

    I have seen one idea, that I create a new entity with a strong password which will do nothing except be a permission/rights holder, then use that to take ownership. But I don't see how to allow these programs to write to their own folders/files and also keep them safe from a privilege attack.
     
  17. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Don't sweat it, just update your system and browser, don't download random stuff and you're not gonna get malware, you have to be REALLY trying in order for that to happen. This software is more like scareware than anything :D

    "Oh no, I have some red entries, they're gonna hack me" :argh:
     
  18. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    246
    Useful in pentesting engagements, OS image hardening, SRP/AppLocker testing.

    Just to clarify, the primary audience of this tool would be pentesters, security-oriented developers, auditors and other categories of security professionals.
    Home users would typically see less value in using this tool.
     
  19. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    697
    Location:
    Europe
  20. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
  21. itsmeWario

    itsmeWario Guest

    I got a 0 byte file if i try to download http://www.trustprobe.com/fs1/download.php?appname=EOPRadar.exe or https://www.trustprobe.com/fs1/download.php?appname=EOPRadar.exe
     
  22. itsmeWario

    itsmeWario Guest

    Still not fixed.
    Your website now only tell:
    Also you're site need HTTP to HTTPS redirect
     
  23. Be_Ta

    Be_Ta Registered Member

    Joined:
    Jan 15, 2019
    Posts:
    33
    Location:
    Earth
    just an INFO, i cant download anything from your site.. I wanted to DOwnload and test DNSGlass but everything i download is "0" byte.. i tested with 3 browsers, different DNS Servers and from an Friends PC also.. wich all had teh same result.. "0" byte FIles downloaded..

    thought i just mention it..

    Best Regards
     
Loading...
Similar Threads
  1. garry35
    Replies:
    21
    Views:
    3,402
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.