![]() ![]() On our VM, c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. Note: We filtered the irrelevant events from the above screenshot.Īs you can see, the service was trying to load a missing DLL file ( msvcr120.dll ) Demonstrating a DLL Hijacking Vulnerability Once the library was loaded, we noticed that the service tries to look for a missing DLL file in order to load it: In our initial exploration, we targeted the Code42 server service based on the assumption that such a critical service would have a high-level permission to the PC hardware as well as the capability to induce privilege escalation.Īfter the Code42 server service was started, it executed CrashPlanPROServer.exe as NT AUTHORITY\SYSTEM. Part of the software runs as a service which is executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions. Code42 ServerĬode42 is best known for developing and marketing the CrashPlan data backup service.ĬrashPlan backs up data to remote servers or hard drives. In this post, we will demonstrate how this vulnerability can be used in order to achieve persistence, defense evasion and in some cases privilege escalation by loading an arbitrary unsigned DLL into a service that runs as SYSTEM. SafeBreach Labs discovered a new vulnerability in the Code42 on-premise server for Windows ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |