As a pen tester I’ve always had an account on a Nessus Pro, obviously that changes with the new model, but as a contractor I have to be a big boy and buy my own licenses, My last gig I was Interim-head of Infosec , with the goal being ‘have at it’ it needs to be had at! … We rolled out Tenable.io’s agent and scanner based offering, the agent is deployed on all AD members, and those that aren’t on AD can be hit with the active scanner(with or without creds) , all data is fed back into a lovely cloud dashboard where we can fix different issues at different velocities depending on different things, cool.

I have a few friends from Tenable that have made reporting this really easy, hopefully the method they enumerate with will be more considered, I have to say that there where only a few instances that looked opportunistic, I validated sh.exe, this also might depend on the policy you scan with, I dont know how they are going to fix it, but I know they’re working on it.

 

It’s fixed in the latest agent.


The LPE

I’ll keep this short

Some of you will notice what’s going on here, but I’ll say it, the Nessusd.exe is executing a file (or wanting to execute a file) as system in a user controlled space, so as an attacker if you’re a low privilege … or any privilege position and want system, all that needs to be done is position your binary in the following location and wait for a scan, not useful if you’re in a rush to get shells I know, but it’s reliable maybe more useful for long term engagements, I tested this with my John.carroll user, and realised I had admin rights, re-tested with a lowpriv account, same results.

How do I exploit ?

Place your malicious binary named sh.exe in %AppData%\Local\Microsoft\WindowsApps\ and wait for the next scan.

done.

Equally this would be worth checking on an authenticated scan too, without the agent, the ownership of what account you use may reside with the organisation, so it’s for them to adjust to a least privilege model in these kind of accounts, but worth researching. and possibly if you’re deep on a redteam gig, _might_ help when all else fails.

 

PRBLMS?

  • No integrity checks on the executables it’s running (less bad in elevated locations (program data, files,x86 etc..)
  • Tasks running as SYSTEM running files from user controlled spaces
  • bypasses smartscreen because SYSTEM

Ref: https://attack.mitre.org/techniques/T1068/

Side-note: I used  ShellterPro to bond my cobalt strike payload into sh.exe, that took care of Windows Defender.


While Tenable don’t have a VRP / Bugbounty (at the moment?) I was gifted a License for my troubles, but no public acknowledgement … this post will do, I suppose.

good times

Thanks Arnie, Leslie, Sarah

A+ Would submit vulns again. (for free stuff)

 

Sent in: 25/07/2019

Fixed:   07/01/2020

Final Thoughts:

fellow pwners, think about what other systems, services, solutions behave this way, in such that something is triggered to enumerate information about the computer (or a program?)

 

The method of Identification using this is common to most of us, I’ve delivered short binary/dll planting guides to audiences at Steelcon and London BSides, but essentially you just need Procmon from sysinternals, you need in your view to show in the results NAME_NOT_FOUND and you want all user writable locations whitelisted %appdata% $users/ folder temp locations and if you are assessing a application always worth checking the permissions are set post install, and the user you’re interested in is usually SYSTEM or if you’re looking for lateral moves using a low privilege user reaching other users (that may have other access in theory)  – reach out to me if you want some guides, there are some great ones out there already, I’m not going to try to best.