![\"Creative](\"https:\/\/i.creativecommons.org\/l\/by-nc-nd\/3.0\/80x15.png\")
<\/a>. Meaning that it can be copied and redistributed at will as long as appropriate credit is given, and it is not sold.<\/p>\nWhen configuring Group Policy, you may have seen the setting “Always install with elevated privileges<\/em>” under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Installer<\/em>.<\/p>\n If this policy is enabled, it forces the Windows Installer service to always use elevated privileges when running an installation package. Naturally this is incredibly dangerous as it essentially grants administrator rights to any users on the system by crafting a custom MSI which launches a program, or a command prompt, or adds themselves to the Administrators group.<\/p>\n The PEVS tool checks for this by seeing if the policy settings has been applied in the computer’s registry.<\/p>\n SysPrep is a tool that comes with Windows and is used when building pre-configured system images for deployment through tools such as Configuration Manager (SCCM). It uses text INF or XML configuration files which specify how the image should deploy to a new machine, and these files could very well contain sensitive information such as usernames and passwords. In most instances, these files are automatically removed when an image is deployed, but we’ve seen reports of them being left behind, along with their tasty contents.<\/p>\n It’s an accepted quirk (or feature) of the CreateProcess<\/em> WinAPI function that unquoted executable paths are parsed left to right, and if you path contains a space, matches in parent directories will take priority over your full path.<\/p>\n What does this mean? Consider the path “C:\\Program Files (x86)\\My Program\\myprogram.exe<\/em>“. Without the quotes, CreateProcess<\/em> will search for executables in the following order:<\/p>\n 1. C:\\Program.exe So you see, in this case a user has the opportunity (if they possess the permission to create files there) to inject executables at 3 points which would be run instead of your program.<\/p>\n This is particularly a problem with Windows Services, because services often run as System and therefore have the highest assignable permissions on the computer, and because the Windows uses CreateProcess<\/em> to launch services.<\/p>\n For this reason, PEVS includes a scan to check all services (excluding those located in C:\\Windows\\System32 and C:\\Windows\\SysWOW64) to make sure that their ImagePath properties have quotes.<\/p>\n Finally, the other way to hijack a Windows Service is to simple modify the registry entry for it to point its ImagePath at another executable of your choice. Of course that portion of the registry usually requires Administrator rights to modify, but we have seen systems configured to all members of the Users group, or indeed the Everyone object, to have write access for some reason. Sometimes this is a mistake of a system administrator, other times its poorly configured third party software making the change.<\/p>\n Either way, PEVS will check all services to make sure that they are properly quoted.<\/p>\n No. PEVS is not a remediation tool, it is simply a scanner to check for potential vulnerabilities that you may want to look into.<\/p>\n Extract the files to somewhere easily accessible and launch a command prompt as Administrator. Note that if you want to scan remote devices, you’ll need administrator rights to them as well.<\/p>\n privesc.exe [hostname] [\/verbose] [\/pause]<\/strong><\/p>\n [hostname] – (Optional) name of the computer to scan.<\/em> If a vulnerability is detected by one of the scans, the return code of the application will be that of the last one found.<\/p>\n 100 – Unquoted Service Paths<\/em> So if an unquoted service path vulnerability is found and Always Install Elevated is enabled, then the return code will be 400. You can also examine the tools output for a full breakdown of its results.<\/p>\n PEVS will work perfectly well as a defined Remote Execute tool, just set it to run without any parameters and Overcee will manage the capture of the return code and output for further analysis later.<\/p>\n More info<\/a><\/p>\n Click the link below to download PEVS.<\/p>\n Privilege Escalation Vulnerability Scan Tool 1.0 (17kb)<\/a><\/p>\n![\"OverLAPS](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2018\/11\/overlaps-800-tall.png\")
<\/a><\/p>\nVulnerabilities<\/h2>\n
1. Always Install Elevated<\/h3>\n
2. SysPrep Configuration Files<\/h3>\n
3. Unquoted Service Paths<\/h3>\n
\n2. C:\\Program Files.exe
\n3. C:\\Program Files (x86)\\My.exe
\n4. C:\\Program Files (x86)\\My Program\\myprogram.exe<\/p>\n4. Service Registry Permissions<\/h3>\n
Does it make any changes?<\/h2>\n
Usage<\/h2>\n
![\"Privilege](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2018\/07\/screenshot4.png\")
<\/p>\n
\n[\/verbose] – (Optional) show additional information.<\/em>
\n[\/pause] – (Optional) Require user input before closing.<\/em><\/p>\nReturn Codes<\/h3>\n
\n300 – Service Registry Permissions<\/em>
\n400 – Always Install Elevated<\/em>
\n500 – SysPrep Configuration Files<\/em><\/p>\nOvercee<\/h2>\n
Download<\/h2>\n
Support \/ Warranty<\/h2>\n