InfoSec LAB

HackSmarterSecurity_CAIDA_Spoofer

Created: 3 min read

CAIDA Spoofer

A CAIDA Spoofer installation has been identified to be running on the HACKSMARTERSEC(10.10.183.209) host.

PS C:\> ls 'C:\Program Files (x86)\Spoofer\'
 
 
    Directory: C:\Program Files (x86)\Spoofer
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/24/2020   9:31 PM          16772 CHANGES.txt
-a----        7/16/2020   7:23 PM           7537 firewall.vbs
-a----        7/24/2020   9:31 PM          82272 LICENSE.txt
-a----         7/5/2025   4:05 PM             19 qc
-a----        7/24/2020   9:31 PM           3097 README.txt
-a----        7/24/2020   9:31 PM          48776 restore.exe
-a----        7/20/2020  11:12 PM         575488 scamper.exe
-a----        6/30/2023   6:57 PM            152 shortcuts.ini
-a----        7/24/2020   9:31 PM        4315064 spoofer-cli.exe
-a----        7/24/2020   9:31 PM       16171448 spoofer-gui.exe
-a----        7/24/2020   9:31 PM        4064696 spoofer-prober.exe
-a----        7/24/2020   9:31 PM        8307640 spoofer-scheduler.exe
-a----        7/24/2020   9:31 PM            667 THANKS.txt
-a----        7/24/2020   9:31 PM         217416 uninstall.exe
 
PS C:\> ps | findstr spoofer
    205      11     1708       9276              1320   0 spoofer-scheduler

It’s installed to the C:\Program Files (x86)\Spoofer\ directory and running as the spoofer-scheduler process.

PS C:\> cat 'C:\Program Files (x86)\Spoofer\CHANGES.txt' | Select -First 10
spoofer-1.4.6 (2020-07-24) 
-------------
* Finds Spoofer control server by hostname instead of IP address
* Updated for better compatibility with Qt 5.15
* Updated for better compatibility with protobuf 3.12
* macOS: avoid use of launch services API (deprecated in OS X 10.10)
* macOS: updated binary release:
  - drop support for OS X <10.10
  - updated bundled third-party packages: openssl 1.1.1g, pcap 1.9.1, 
    protobuf 3.12.3, Qt 5.9, scamper 20200717

The CHANGES.txt file reveals the version information; 1.4.6

Vulnerabilities

Looking it up online reveals an unquoted service path vulnerability, and it has CVE identification designated to CVE-2021-46443, which seems to be revoked.

PS C:\> sc.exe qc spoofer-scheduler
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: spoofer-scheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Spoofer Scheduler
        DEPENDENCIES       : tcpip
        SERVICE_START_NAME : LocalSystem

Checking the spoofer-scheduler service indeed reveals that the BINARY_PATH_NAME attribute is set without any quotation mark.

PS C:\> echo blah > C:\Program.exe 
out-file : Access to the path 'C:\Program.exe' is denied. 
At line:1 char:1
+ echo blah > C:\Program.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Out-File], UnauthorizedAccessException       
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

The “vulnerability” is rather false-positive, as regular users on a Windows host cannot create a file at the system root directory; C:\

Permissions

PS C:\> icacls "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe"
C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe BUILTIN\Users:(I)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(F)
                                                     BUILTIN\Administrators:(I)(F)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
 
Successfully processed 1 files; Failed processing 0 files

However, checking the permissions for the binary itself reveals that the default Users group has complete control over it. This was flagged by PrivescCheck

PS C:\> icacls "C:\Program Files (x86)\Spoofer"
C:\Program Files (x86)\Spoofer BUILTIN\Users:(OI)(CI)(F)
                               NT SERVICE\TrustedInstaller:(I)(F)
                               NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                               BUILTIN\Administrators:(I)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                               BUILTIN\Users:(I)(RX)
                               BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                               CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
 
Successfully processed 1 files; Failed processing 0 files

Same goes for the parent directory as well.

Start/Stop Service

PS C:\> sc.exe stop spoofer-scheduler
 
SERVICE_NAME: spoofer-scheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

It would appear that the current user is able to stop/start the spoofer-scheduler service. Privilege Escalation is possible, given that:

  • anyone is able to modify the service binary
  • current user is able to restart the service

Interactive Graph View

Backlinks