mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-01-17 23:35:55 -08:00
Compare commits
12 Commits
20260117-a
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
9d8a14d2ec | ||
|
|
9c49dfd2bb | ||
|
|
e7663381f2 | ||
|
|
ce5bd84575 | ||
|
|
0ed7a39a7d | ||
|
|
1cdd473d79 | ||
|
|
7016e5a0b4 | ||
|
|
7a5aa8dcae | ||
|
|
fa58c6688b | ||
|
|
3aa04a53fc | ||
|
|
e77867b2d3 | ||
|
|
6c75f10fae |
@@ -1,14 +1,14 @@
|
||||
# Title: Cloud - AWS ECS
|
||||
# ID: CL_AWS_ECS
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 22-08-2023
|
||||
# Last Update: 17-01-2026
|
||||
# Description: AWS ECS Enumeration
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
|
||||
# Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
|
||||
# Initial Functions: check_aws_ecs
|
||||
# Generated Global Variables: $aws_ecs_req
|
||||
# Generated Global Variables: $aws_ecs_req, $aws_exec_env, $ecs_task_metadata, $launch_type, $network_modes, $imds_tool, $imds_token, $imds_roles, $imds_http_code, $ecs_block_line, $ecs_host_line, $iptables_cmd, $docker_rules, $first_role
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -44,5 +44,146 @@ if [ "$is_aws_ecs" = "Yes" ]; then
|
||||
else
|
||||
echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
|
||||
fi
|
||||
|
||||
print_3title "ECS task metadata hints"
|
||||
aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null)
|
||||
if [ "$aws_exec_env" ]; then
|
||||
printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env"
|
||||
fi
|
||||
|
||||
ecs_task_metadata=""
|
||||
if [ "$aws_ecs_metadata_uri" ]; then
|
||||
ecs_task_metadata=$(eval $aws_ecs_req "$aws_ecs_metadata_uri/task" 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ "$ecs_task_metadata" ]; then
|
||||
launch_type=$(printf "%s" "$ecs_task_metadata" | grep -oE '"LaunchType":"[^"]+"' | head -n 1 | cut -d '"' -f4)
|
||||
if [ "$launch_type" ]; then
|
||||
printf "ECS LaunchType reported: %s\n" "$launch_type"
|
||||
fi
|
||||
network_modes=$(printf "%s" "$ecs_task_metadata" | grep -oE '"NetworkMode":"[^"]+"' | cut -d '"' -f4 | sort -u | tr '\n' ' ')
|
||||
if [ "$network_modes" ]; then
|
||||
printf "Reported NetworkMode(s): %s\n" "$network_modes"
|
||||
fi
|
||||
else
|
||||
echo "Unable to fetch task metadata (check ECS_CONTAINER_METADATA_URI)."
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
print_3title "IMDS reachability from this task"
|
||||
imds_token=""
|
||||
imds_roles=""
|
||||
imds_http_code=""
|
||||
imds_tool=""
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
imds_tool="curl"
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
imds_tool="wget"
|
||||
fi
|
||||
|
||||
if [ "$imds_tool" = "curl" ]; then
|
||||
imds_token=$(curl -s --connect-timeout 2 --max-time 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
|
||||
if [ "$imds_token" ]; then
|
||||
printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
|
||||
imds_roles=$(curl -s --connect-timeout 2 --max-time 2 -H "X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
|
||||
if [ "$imds_roles" ]; then
|
||||
printf " Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
|
||||
first_role=$(printf "%s" "$imds_roles" | awk '{print $1}')
|
||||
if [ "$first_role" ]; then
|
||||
printf " Example: curl -H 'X-aws-ec2-metadata-token: <TOKEN>' http://169.254.169.254/latest/meta-data/iam/security-credentials/%s\n" "$first_role"
|
||||
fi
|
||||
else
|
||||
printf " No IAM role names returned (instance profile might be missing).\n"
|
||||
fi
|
||||
else
|
||||
imds_http_code=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/meta-data/" 2>/dev/null)
|
||||
case "$imds_http_code" in
|
||||
000|"")
|
||||
printf "[i] IMDS endpoint did not respond (likely blocked via hop-limit or host firewalling).\n"
|
||||
;;
|
||||
401)
|
||||
printf "[i] IMDS requires v2 tokens but token requests are being blocked (bridge-mode tasks rely on this when hop limit = 1).\n"
|
||||
;;
|
||||
*)
|
||||
printf "[i] IMDS GET returned HTTP %s (investigate host configuration).\n" "$imds_http_code"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
elif [ "$imds_tool" = "wget" ]; then
|
||||
imds_token=$(wget -q -O - --timeout=2 --tries=1 --method=PUT --header="X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token" 2>/dev/null)
|
||||
if [ "$imds_token" ]; then
|
||||
printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
|
||||
imds_roles=$(wget -q -O - --timeout=2 --tries=1 --header="X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
|
||||
if [ "$imds_roles" ]; then
|
||||
printf " Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
|
||||
else
|
||||
printf " No IAM role names returned (instance profile might be missing).\n"
|
||||
fi
|
||||
else
|
||||
wget --server-response -O /dev/null --timeout=2 --tries=1 "http://169.254.169.254/latest/meta-data/" 2>&1 | awk 'BEGIN{code=""} /^ HTTP/{code=$2} END{ if(code!="") { printf("[i] IMDS GET returned HTTP %s (token could not be retrieved).\n", code); } else { print "[i] IMDS endpoint did not respond (likely blocked)."; } }'
|
||||
fi
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't test IMDS reachability."
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_3title "ECS agent IMDS settings"
|
||||
if [ -r "/etc/ecs/ecs.config" ]; then
|
||||
ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
|
||||
ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
|
||||
if [ "$ecs_block_line" ]; then
|
||||
printf "%s\n" "$ecs_block_line"
|
||||
if echo "$ecs_block_line" | grep -qi "=true"; then
|
||||
echo " -> awsvpc-mode tasks should be blocked from IMDS by the ECS agent."
|
||||
else
|
||||
echo " -> awsvpc-mode tasks can still reach IMDS (set this to true to block)."
|
||||
fi
|
||||
else
|
||||
echo "ECS_AWSVPC_BLOCK_IMDS not set (awsvpc tasks inherit host IMDS reachability)."
|
||||
fi
|
||||
|
||||
if [ "$ecs_host_line" ]; then
|
||||
printf "%s\n" "$ecs_host_line"
|
||||
if echo "$ecs_host_line" | grep -qi "=false"; then
|
||||
echo " -> Host-network tasks lose IAM task roles but IMDS is blocked."
|
||||
else
|
||||
echo " -> Host-network tasks keep IAM task roles and retain IMDS access."
|
||||
fi
|
||||
else
|
||||
echo "ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST not set (defaults keep IMDS reachable for host-mode tasks)."
|
||||
fi
|
||||
else
|
||||
echo "Cannot read /etc/ecs/ecs.config (file missing or permissions denied)."
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_3title "DOCKER-USER IMDS filtering"
|
||||
iptables_cmd=""
|
||||
if command -v iptables >/dev/null 2>&1; then
|
||||
iptables_cmd=$(command -v iptables)
|
||||
elif command -v iptables-nft >/dev/null 2>&1; then
|
||||
iptables_cmd=$(command -v iptables-nft)
|
||||
fi
|
||||
|
||||
if [ "$iptables_cmd" ]; then
|
||||
docker_rules=$($iptables_cmd -S DOCKER-USER 2>/dev/null)
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ "$docker_rules" ]; then
|
||||
echo "$docker_rules"
|
||||
else
|
||||
echo "(DOCKER-USER chain exists but no rules were found)"
|
||||
fi
|
||||
if echo "$docker_rules" | grep -q "169\\.254\\.169\\.254"; then
|
||||
echo " -> IMDS traffic is explicitly filtered before Docker NAT."
|
||||
else
|
||||
echo " -> No DOCKER-USER rule drops 169.254.169.254 traffic (bridge tasks rely on hop limit or host firewalling)."
|
||||
fi
|
||||
else
|
||||
echo "Unable to read DOCKER-USER chain (missing chain or insufficient permissions)."
|
||||
fi
|
||||
else
|
||||
echo "iptables binary not found; cannot inspect DOCKER-USER chain."
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
@@ -74,6 +74,11 @@ winpeas.exe -lolbas #Execute also additional LOLBAS search check
|
||||
|
||||
The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
|
||||
|
||||
New in this version:
|
||||
- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
|
||||
|
||||
- Flag installed OEM utilities such as ASUS DriverHub, MSI Center, Acer Control Centre and Razer Synapse 4, highlighting writable updater folders and world-accessible pipes tied to recent CVEs.
|
||||
|
||||
It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
|
||||
|
||||
The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
|
||||
|
||||
@@ -36,6 +36,7 @@ namespace winPEAS.Checks
|
||||
PrintModifiableServices,
|
||||
PrintWritableRegServices,
|
||||
PrintPathDllHijacking,
|
||||
PrintOemPrivilegedUtilities,
|
||||
PrintLegacySignedKernelDrivers,
|
||||
PrintKernelQuickIndicators,
|
||||
}.ForEach(action => CheckRunner.Run(action, isDebug));
|
||||
@@ -210,6 +211,51 @@ namespace winPEAS.Checks
|
||||
}
|
||||
}
|
||||
|
||||
void PrintOemPrivilegedUtilities()
|
||||
{
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("OEM privileged utilities & risky components");
|
||||
var findings = OemSoftwareHelper.GetPotentiallyVulnerableComponents(Checks.CurrentUserSiDs);
|
||||
|
||||
if (findings.Count == 0)
|
||||
{
|
||||
Beaprint.GoodPrint(" None of the supported OEM utilities were detected.");
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var finding in findings)
|
||||
{
|
||||
bool hasCves = finding.Cves != null && finding.Cves.Length > 0;
|
||||
string cveSuffix = hasCves ? $" ({string.Join(", ", finding.Cves)})" : string.Empty;
|
||||
Beaprint.BadPrint($" {finding.Name}{cveSuffix}");
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(finding.Description))
|
||||
{
|
||||
Beaprint.GrayPrint($" {finding.Description}");
|
||||
}
|
||||
|
||||
foreach (var evidence in finding.Evidence)
|
||||
{
|
||||
string message = $" - {evidence.Message}";
|
||||
if (evidence.Highlight)
|
||||
{
|
||||
Beaprint.BadPrint(message);
|
||||
}
|
||||
else
|
||||
{
|
||||
Beaprint.GrayPrint(message);
|
||||
}
|
||||
}
|
||||
|
||||
Beaprint.PrintLineSeparator();
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException(ex.Message);
|
||||
}
|
||||
}
|
||||
|
||||
void PrintLegacySignedKernelDrivers()
|
||||
{
|
||||
@@ -352,4 +398,3 @@ namespace winPEAS.Checks
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,458 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Diagnostics;
|
||||
using System.IO;
|
||||
using System.Security.AccessControl;
|
||||
using System.Security.Principal;
|
||||
using System.ServiceProcess;
|
||||
using winPEAS.Helpers;
|
||||
|
||||
namespace winPEAS.Info.ServicesInfo
|
||||
{
|
||||
internal static class OemSoftwareHelper
|
||||
{
|
||||
internal static List<OemSoftwareFinding> GetPotentiallyVulnerableComponents(Dictionary<string, string> currentUserSids)
|
||||
{
|
||||
var findings = new List<OemSoftwareFinding>();
|
||||
var services = GetServiceSnapshot();
|
||||
var processes = GetProcessSnapshot();
|
||||
|
||||
foreach (var definition in GetDefinitions())
|
||||
{
|
||||
var finding = new OemSoftwareFinding
|
||||
{
|
||||
Name = definition.Name,
|
||||
Description = definition.Description,
|
||||
Cves = definition.Cves,
|
||||
};
|
||||
|
||||
AppendServiceEvidence(definition, services, finding);
|
||||
AppendProcessEvidence(definition, processes, finding);
|
||||
AppendPathEvidence(definition, currentUserSids, finding);
|
||||
AppendPipeEvidence(definition, finding);
|
||||
|
||||
if (finding.Evidence.Count > 0)
|
||||
{
|
||||
findings.Add(finding);
|
||||
}
|
||||
}
|
||||
|
||||
return findings;
|
||||
}
|
||||
|
||||
private static void AppendServiceEvidence(OemComponentDefinition definition, List<ServiceSnapshot> services, OemSoftwareFinding finding)
|
||||
{
|
||||
if (definition.ServiceHints == null || definition.ServiceHints.Length == 0)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var serviceHint in definition.ServiceHints)
|
||||
{
|
||||
foreach (var service in services)
|
||||
{
|
||||
if (ContainsIgnoreCase(service.Name, serviceHint) ||
|
||||
ContainsIgnoreCase(service.DisplayName, serviceHint))
|
||||
{
|
||||
finding.Evidence.Add(new OemEvidence
|
||||
{
|
||||
EvidenceType = "service",
|
||||
Highlight = true,
|
||||
Message = $"Service '{service.Name}' (Display: {service.DisplayName}) matches indicator '{serviceHint}'"
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static void AppendProcessEvidence(OemComponentDefinition definition, List<ProcessSnapshot> processes, OemSoftwareFinding finding)
|
||||
{
|
||||
if (definition.ProcessHints == null || definition.ProcessHints.Length == 0)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var processHint in definition.ProcessHints)
|
||||
{
|
||||
foreach (var process in processes)
|
||||
{
|
||||
bool matchesName = ContainsIgnoreCase(process.Name, processHint);
|
||||
bool matchesPath = ContainsIgnoreCase(process.FullPath, processHint);
|
||||
|
||||
if (matchesName || matchesPath)
|
||||
{
|
||||
var location = string.IsNullOrWhiteSpace(process.FullPath) ? "Unknown" : process.FullPath;
|
||||
finding.Evidence.Add(new OemEvidence
|
||||
{
|
||||
EvidenceType = "process",
|
||||
Highlight = true,
|
||||
Message = $"Process '{process.Name}' (Path: {location}) matches indicator '{processHint}'"
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static void AppendPathEvidence(OemComponentDefinition definition, Dictionary<string, string> currentUserSids, OemSoftwareFinding finding)
|
||||
{
|
||||
if ((definition.DirectoryHints == null || definition.DirectoryHints.Length == 0) &&
|
||||
(definition.FileHints == null || definition.FileHints.Length == 0))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (definition.DirectoryHints != null)
|
||||
{
|
||||
foreach (var dirHint in definition.DirectoryHints)
|
||||
{
|
||||
var expandedPath = ExpandPath(dirHint.Path);
|
||||
if (!Directory.Exists(expandedPath))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var permissions = PermissionsHelper.GetPermissionsFolder(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
|
||||
bool isWritable = permissions.Count > 0;
|
||||
|
||||
finding.Evidence.Add(new OemEvidence
|
||||
{
|
||||
EvidenceType = "path",
|
||||
Highlight = isWritable,
|
||||
Message = BuildPathMessage(expandedPath, dirHint.Description, isWritable, permissions)
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
if (definition.FileHints != null)
|
||||
{
|
||||
foreach (var fileHint in definition.FileHints)
|
||||
{
|
||||
var expandedPath = ExpandPath(fileHint);
|
||||
if (!File.Exists(expandedPath))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var permissions = PermissionsHelper.GetPermissionsFile(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
|
||||
bool isWritable = permissions.Count > 0;
|
||||
|
||||
finding.Evidence.Add(new OemEvidence
|
||||
{
|
||||
EvidenceType = "file",
|
||||
Highlight = isWritable,
|
||||
Message = BuildPathMessage(expandedPath, "file", isWritable, permissions)
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static void AppendPipeEvidence(OemComponentDefinition definition, OemSoftwareFinding finding)
|
||||
{
|
||||
if (definition.PipeHints == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var pipeHint in definition.PipeHints)
|
||||
{
|
||||
try
|
||||
{
|
||||
var path = $"\\\\.\\pipe\\{pipeHint.Name}";
|
||||
var security = File.GetAccessControl(path);
|
||||
string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
|
||||
string identity = string.Empty;
|
||||
string rights = string.Empty;
|
||||
bool worldWritable = false;
|
||||
|
||||
if (pipeHint.CheckWorldWritable)
|
||||
{
|
||||
worldWritable = HasWorldWritableAce(security, out identity, out rights);
|
||||
}
|
||||
|
||||
string details = worldWritable
|
||||
? $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) is writable by {identity} ({rights})."
|
||||
: $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) present. SDDL: {sddl}";
|
||||
|
||||
finding.Evidence.Add(new OemEvidence
|
||||
{
|
||||
EvidenceType = "pipe",
|
||||
Highlight = worldWritable,
|
||||
Message = details
|
||||
});
|
||||
}
|
||||
catch (FileNotFoundException)
|
||||
{
|
||||
// Pipe not present.
|
||||
}
|
||||
catch (DirectoryNotFoundException)
|
||||
{
|
||||
// Pipe namespace not accessible.
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
// Best effort: pipes might disappear during enumeration or deny access.
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static List<ServiceSnapshot> GetServiceSnapshot()
|
||||
{
|
||||
var services = new List<ServiceSnapshot>();
|
||||
|
||||
try
|
||||
{
|
||||
foreach (var service in ServiceController.GetServices())
|
||||
{
|
||||
services.Add(new ServiceSnapshot
|
||||
{
|
||||
Name = service.ServiceName ?? string.Empty,
|
||||
DisplayName = service.DisplayName ?? string.Empty
|
||||
});
|
||||
}
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
// Ignore - this is best effort.
|
||||
}
|
||||
|
||||
return services;
|
||||
}
|
||||
|
||||
private static List<ProcessSnapshot> GetProcessSnapshot()
|
||||
{
|
||||
var processes = new List<ProcessSnapshot>();
|
||||
|
||||
try
|
||||
{
|
||||
foreach (var process in Process.GetProcesses())
|
||||
{
|
||||
string fullPath = string.Empty;
|
||||
try
|
||||
{
|
||||
fullPath = process.MainModule?.FileName ?? string.Empty;
|
||||
}
|
||||
catch
|
||||
{
|
||||
// Access denied or 64-bit vs 32-bit mismatch.
|
||||
}
|
||||
|
||||
processes.Add(new ProcessSnapshot
|
||||
{
|
||||
Name = process.ProcessName ?? string.Empty,
|
||||
FullPath = fullPath ?? string.Empty
|
||||
});
|
||||
}
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
// Ignore - enumeration is best effort.
|
||||
}
|
||||
|
||||
return processes;
|
||||
}
|
||||
|
||||
private static string ExpandPath(string rawPath)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(rawPath))
|
||||
{
|
||||
return string.Empty;
|
||||
}
|
||||
|
||||
var expanded = Environment.ExpandEnvironmentVariables(rawPath);
|
||||
return expanded.Trim().Trim('"');
|
||||
}
|
||||
|
||||
private static string BuildPathMessage(string path, string description, bool isWritable, List<string> permissions)
|
||||
{
|
||||
string descriptor = string.IsNullOrWhiteSpace(description) ? "" : $" ({description})";
|
||||
if (isWritable)
|
||||
{
|
||||
return $"Path '{path}'{descriptor} is writable by current user: {string.Join(", ", permissions)}";
|
||||
}
|
||||
|
||||
return $"Path '{path}'{descriptor} detected.";
|
||||
}
|
||||
|
||||
private static bool ContainsIgnoreCase(string value, string toFind)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(value) || string.IsNullOrWhiteSpace(toFind))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return value.IndexOf(toFind, StringComparison.OrdinalIgnoreCase) >= 0;
|
||||
}
|
||||
|
||||
private static bool HasWorldWritableAce(FileSecurity security, out string identity, out string rights)
|
||||
{
|
||||
identity = string.Empty;
|
||||
rights = string.Empty;
|
||||
|
||||
try
|
||||
{
|
||||
var rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
|
||||
foreach (FileSystemAccessRule rule in rules)
|
||||
{
|
||||
if (rule.AccessControlType != AccessControlType.Allow)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if (rule.IdentityReference is SecurityIdentifier sid)
|
||||
{
|
||||
bool isWorld = sid.IsWellKnown(WellKnownSidType.WorldSid);
|
||||
bool isAuthenticated = sid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid);
|
||||
|
||||
if (!isWorld && !isAuthenticated)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
const FileSystemRights interestingRights =
|
||||
FileSystemRights.FullControl |
|
||||
FileSystemRights.Modify |
|
||||
FileSystemRights.Write |
|
||||
FileSystemRights.WriteData |
|
||||
FileSystemRights.CreateFiles |
|
||||
FileSystemRights.ChangePermissions;
|
||||
|
||||
if ((rule.FileSystemRights & interestingRights) != 0)
|
||||
{
|
||||
identity = isWorld ? "Everyone" : "Authenticated Users";
|
||||
rights = rule.FileSystemRights.ToString();
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
// Ignore parsing issues.
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private static IEnumerable<OemComponentDefinition> GetDefinitions()
|
||||
{
|
||||
return new List<OemComponentDefinition>
|
||||
{
|
||||
new OemComponentDefinition
|
||||
{
|
||||
Name = "ASUS DriverHub",
|
||||
Description = "Local web API exposed by ADU.exe allowed bypassing origin/url validation and signature checks.",
|
||||
Cves = new[] { "CVE-2025-3462", "CVE-2025-3463" },
|
||||
ServiceHints = new[] { "asusdriverhub", "asus driverhub" },
|
||||
ProcessHints = new[] { "adu", "asusdriverhub" },
|
||||
DirectoryHints = new[]
|
||||
{
|
||||
new PathHint { Path = "%ProgramFiles%\\ASUS\\AsusDriverHub", Description = "Program Files" },
|
||||
new PathHint { Path = "%ProgramFiles(x86)%\\ASUS\\AsusDriverHub", Description = "Program Files (x86)" },
|
||||
new PathHint { Path = "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp", Description = "SupportTemp updater staging" }
|
||||
},
|
||||
FileHints = new[]
|
||||
{
|
||||
"%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp\\Installer.json"
|
||||
}
|
||||
},
|
||||
new OemComponentDefinition
|
||||
{
|
||||
Name = "MSI Center",
|
||||
Description = "MSI.CentralServer.exe exposed TCP commands with TOCTOU and signature bypass issues.",
|
||||
Cves = new[] { "CVE-2025-27812", "CVE-2025-27813" },
|
||||
ServiceHints = new[] { "msi.center", "msi centralserver" },
|
||||
ProcessHints = new[] { "msi.centralserver", "msi center" },
|
||||
DirectoryHints = new[]
|
||||
{
|
||||
new PathHint { Path = "%ProgramFiles%\\MSI\\MSI Center", Description = "Main installation" },
|
||||
new PathHint { Path = "%ProgramFiles(x86)%\\MSI\\MSI Center", Description = "Main installation (x86)" },
|
||||
new PathHint { Path = "%ProgramData%\\MSI\\MSI Center", Description = "Shared data" },
|
||||
new PathHint { Path = "%ProgramData%\\MSI Center SDK", Description = "SDK temp copy location" }
|
||||
}
|
||||
},
|
||||
new OemComponentDefinition
|
||||
{
|
||||
Name = "Acer Control Centre",
|
||||
Description = "ACCSvc.exe exposes treadstone_service_LightMode named pipe with weak impersonation controls.",
|
||||
Cves = new[] { "CVE-2025-5491" },
|
||||
ServiceHints = new[] { "accsvc", "acer control" },
|
||||
ProcessHints = new[] { "accsvc", "accstd" },
|
||||
DirectoryHints = new[]
|
||||
{
|
||||
new PathHint { Path = "%ProgramFiles%\\Acer\\Care Center", Description = "Install directory" },
|
||||
new PathHint { Path = "%ProgramFiles(x86)%\\Acer\\Care Center", Description = "Install directory (x86)" }
|
||||
},
|
||||
PipeHints = new[]
|
||||
{
|
||||
new PipeHint { Name = "treadstone_service_LightMode", Description = "Command dispatcher", CheckWorldWritable = true }
|
||||
}
|
||||
},
|
||||
new OemComponentDefinition
|
||||
{
|
||||
Name = "Razer Synapse 4 Elevation Service",
|
||||
Description = "razer_elevation_service.exe exposes COM elevation helpers that allowed arbitrary process launch.",
|
||||
Cves = new[] { "CVE-2025-27811" },
|
||||
ServiceHints = new[] { "razer_elevation_service" },
|
||||
ProcessHints = new[] { "razer_elevation_service" },
|
||||
DirectoryHints = new[]
|
||||
{
|
||||
new PathHint { Path = "%ProgramFiles%\\Razer\\RazerAppEngine", Description = "Razer App Engine" },
|
||||
new PathHint { Path = "%ProgramFiles(x86)%\\Razer\\RazerAppEngine", Description = "Razer App Engine (x86)" }
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
private class ServiceSnapshot
|
||||
{
|
||||
public string Name { get; set; }
|
||||
public string DisplayName { get; set; }
|
||||
}
|
||||
|
||||
private class ProcessSnapshot
|
||||
{
|
||||
public string Name { get; set; }
|
||||
public string FullPath { get; set; }
|
||||
}
|
||||
|
||||
private class OemComponentDefinition
|
||||
{
|
||||
public string Name { get; set; }
|
||||
public string Description { get; set; }
|
||||
public string[] Cves { get; set; } = Array.Empty<string>();
|
||||
public string[] ServiceHints { get; set; } = Array.Empty<string>();
|
||||
public string[] ProcessHints { get; set; } = Array.Empty<string>();
|
||||
public PathHint[] DirectoryHints { get; set; } = Array.Empty<PathHint>();
|
||||
public string[] FileHints { get; set; } = Array.Empty<string>();
|
||||
public PipeHint[] PipeHints { get; set; } = Array.Empty<PipeHint>();
|
||||
}
|
||||
|
||||
private class PathHint
|
||||
{
|
||||
public string Path { get; set; }
|
||||
public string Description { get; set; }
|
||||
}
|
||||
|
||||
private class PipeHint
|
||||
{
|
||||
public string Name { get; set; }
|
||||
public string Description { get; set; }
|
||||
public bool CheckWorldWritable { get; set; }
|
||||
}
|
||||
}
|
||||
|
||||
internal class OemSoftwareFinding
|
||||
{
|
||||
public string Name { get; set; }
|
||||
public string Description { get; set; }
|
||||
public string[] Cves { get; set; } = Array.Empty<string>();
|
||||
public List<OemEvidence> Evidence { get; } = new List<OemEvidence>();
|
||||
}
|
||||
|
||||
internal class OemEvidence
|
||||
{
|
||||
public string EvidenceType { get; set; }
|
||||
public string Message { get; set; }
|
||||
public bool Highlight { get; set; }
|
||||
}
|
||||
}
|
||||
@@ -1463,6 +1463,7 @@
|
||||
<DependentUpon>Resources.resx</DependentUpon>
|
||||
</Compile>
|
||||
<Compile Include="Info\ServicesInfo\ServicesInfoHelper.cs" />
|
||||
<Compile Include="Info\ServicesInfo\OemSoftwareHelper.cs" />
|
||||
<Compile Include="Info\SystemInfo\SystemInfo.cs" />
|
||||
<Compile Include="Info\UserInfo\UserInfoHelper.cs" />
|
||||
<Compile Include="Helpers\DomainHelper.cs" />
|
||||
|
||||
Reference in New Issue
Block a user