PrivescCheck
PrivescCheck copied to clipboard
itm4n
Check root folder ACLs
A common pattern I recognized is admins placing applications in directories created in drive roots, e.g.:
C:\Install
C:\ORACLE
C:\SuperAccounting
Some installers also do this by default.
Since these folders inherit AddDirectory and AddFile permissions for the BUILTIN\Users group, any local user can place malicious DLL's inside these directories to hijack processes executed by other users of the same machine (think terminal servers):
C:\ORACLE
\__bin
\__sqlplus.exe
\__version.dll (totally legit *wink* *wink*)
For now, a new check only enumerates modifiable folders in root directories, and doesn't check whether there are any executables inside (this seems to be problematic elsewhere too). It also doesn't care if subdirectory ACL's are customized. Since there are other venues for attack (e.g. add a script to a conf.d-like folder) I'd rather just highlight the potential problem and let the tester assess the actual risk depending on the environment.
I only use PowerShell when I really have to, so the code is mostly frankensteined from other places. Also I don't expect this to be merged right away (not sure about base risk, are descriptions good enough, ...), any feedback is welcome!
