~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Vulnerability Summary ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Title Nessus Authenticated Scan - Local Privilege Escalation Release Date 20 March 2014 Reference NGS00643 Discoverer Neil Jones=20 Vendor Tenable Vendor Reference RWZ-21387-181 Systems Affected Nessus appliance engine version 5.2.1 the plugin set=20 201402092115 Risk High Status Fixed ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Resolution Timeline ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Discovered 29 January 2014 Released 29 January 2014 Reported 18 February 2014 Fixed 6 March 2014 Published 20 March 2014 ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Vulnerability Description=20 ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. An authenticated Nessus scan of a target machine may result in local=20 privilege escalation on that target machine if scanned with the Malicious= =20 Process Detection plugin (Plugin ID 59275). The Malicious Process Detectio= n=20 plugin created a service which ran as SYSTEM however this binary could be= =20 modified by a low level user allowing for privilege escalation. The main attack vector for this vulnerability would be within large=20 organisations which routinely run authenticated scans for security=20 auditing purposes, once a user gains SYSTEM access on one machine they=20 would be likely to be able to escalate their privileges to that of Domain= =20 Administrator by other means.=20 ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Technical Details ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. The vulnerability was caused by the Malicious Process Detection plugin=20 (Plugin ID 59275), this plugin created a service which gathered privileged= =20 information from the target system. The plugin created a binary in the=20 System Temp folder which had a static name for example this would be "C:\Windows\Temp\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe" A service was then created to run this binary, the service created was set= =20 to automatically start upon boot. As a low level user the binary should be= =20 created before the scan, once the scan is in progress the binary is=20 overwritten by the Nessus plugin, once the Nessus plugin overwrites the=20 binary the low level user can once again overwrite the binary the machine= =20 can be rebooted by the low level user so the binary is automatically ran= =20 upon system boot. As the Nessus scan is still in progress upon the machine rebooting, the=20 binary and the service are deleted automatically during the clean-up=20 process of the plugin. ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Fix Information ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. The plugin has been updated and the vulnerability can be patched by=20 updating the plugins on your scanner =20 ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. NCC Group ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~= .. Research https://www.nccgroup.com/research Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec Open Source https://github.com/nccgroup Blog https://www.nccgroup.com/en/blog/cyber-security/ SlideShare http://www.slideshare.net/NCC_Group/ For more information please visit <a href=3D"http://www.mimecast.com">http:= //www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecas= t. </a>