[Security] SAM temporary file not being deleted may lead to privilege escalation

[tmpsamsam]

All versions of CME < 4.0 are buggy, leave an export of the Windows SAM/LSASecrets registry keys in the following folder: %windir%\system32****.tmp and put a weak DACL.

This security issue appears when the following options are specified : --sam, --lsa and --ntds.

It gives a local user the opportunity to obtain the LM:NT hashes of the local Administrator account (RID 500) and can be used for privilege escalation or lateral movement.

The vulnerable code is in the __retrieveHive function:

[...]
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
[...]
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
[...]
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName
[...]

The tmpFileName is never removed.

CME 3.1.5 should be deprecated if you don't remove the tmp files. Please upgrade a CrackMapExec release 4.0.

ʕ•̫͡•ʔ ʕ•̫͡•ʔ ʕ•̫͡•ʔ -- tmpsam

[byt3bl33d3r]

Summoning @asolino as he might want to take a look at this as well. Thanks for the heads up and yes I do agree CMEv3 should be deprecated. Working on porting everything to python 3 atm and will be releasing a new stable version.

Cheers

[byt3bl33d3r]

The only real difference between v3 and v4 is that CME switched to using the same function that impacket's secretdump.py uses. Impacket still does this here:

https://github.com/SecureAuthCorp/impacket/blob/61d24d713c380761a226733b1498905a98ccbe84/impacket/examples/secretsdump.py#L774-L788

So this might be something that Impacket might want to address as well. Although, from a developer's standpoint, robust error handling might be the easiest way to address this especially in CME's case cause of all the threads and stuff

[mpgn]

Closing, the issue seems to be fixed as I don't see any tmp file into system32 folder :) Feel free to reopen if you as this issue again !