~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Vulnerability Summary ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Title Nessus Authenticated Scan - Local Privilege Escalation Release Date 20 March 2014 Reference NGS00643 Discoverer Neil Jones Vendor Tenable Vendor Reference RWZ-21387-181 Systems Affected Nessus appliance engine version 5.2.1 the plugin set 201402092115 Risk High Status Fixed ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Resolution Timeline ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Discovered 29 January 2014 Released 29 January 2014 Reported 18 February 2014 Fixed 6 March 2014 Published 20 March 2014 ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Vulnerability Description ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. An authenticated Nessus scan of a target machine may result in local privilege escalation on that target machine if scanned with the Malicious Process Detection plugin (Plugin ID 59275). The Malicious Process Detection plugin created a service which ran as SYSTEM however this binary could be modified by a low level user allowing for privilege escalation. The main attack vector for this vulnerability would be within large organisations which routinely run authenticated scans for security auditing purposes, once a user gains SYSTEM access on one machine they would be likely to be able to escalate their privileges to that of Domain Administrator by other means. ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Technical Details ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. The vulnerability was caused by the Malicious Process Detection plugin (Plugin ID 59275), this plugin created a service which gathered privileged information from the target system. The plugin created a binary in the System Temp folder which had a static name for example this would be "C:\Windows\Temp\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe" A service was then created to run this binary, the service created was set to automatically start upon boot. As a low level user the binary should be created before the scan, once the scan is in progress the binary is overwritten by the Nessus plugin, once the Nessus plugin overwrites the binary the low level user can once again overwrite the binary the machine can be rebooted by the low level user so the binary is automatically ran upon system boot. As the Nessus scan is still in progress upon the machine rebooting, the binary and the service are deleted automatically during the clean-up process of the plugin. ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Fix Information ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. The plugin has been updated and the vulnerability can be patched by updating the plugins on your scanner ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. NCC Group ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Research https://www.nccgroup.com/research Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec Open Source https://github.com/nccgroup Blog https://www.nccgroup.com/en/blog/cyber-security/ SlideShare http://www.slideshare.net/NCC_Group/ For more information please visit <a href="http://www.mimecast.com";>http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a>
