search

google-code-export / red5

Automatically exported from code.google.com/p/red5
0 stars 0 forks source link

Red5 wrapper.exe service binary has permissive permissions #435

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. When you install red5 as a service on windows the service launches 
wrapper.exe which has permissive file permissions. By this I mean that a normal 
user of the system as full write/modify access to the binary which runs as 
'local system'.
2. This allows privilege escalation from low non-priv user to local system by 
replacing the wrapper.exe binary with cmd.exe for example.
3. This can be verified by running "cacls wrapper.exe" from the command line.

What is the expected output? What do you see instead?
The output from windows cacls command shows that BUILTIN\users:F which 
indicates full write/modify access to the wrapper.exe binary.

What version of the product are you using? On what operating system?
Wrapper 3.3.6 on Windows 7

Please provide any additional information below.

This is a straight forward low > local system privilege escalation. The 
wrapper.exe binary should not have full access permissions for regular users.

For similar issues see:
http://travisaltman.com/windows-privilege-escalation-via-weak-service-permission
s/

Original issue reported on code.google.com by myleshos...@gmail.com on 10 Sep 2013 at 11:12

GoogleCodeExporter commented 9 years ago 
So how would you propose that someone install the Red5 service then?

Original comment by mondain on 10 Sep 2013 at 3:37

GoogleCodeExporter commented 9 years ago 
As it runs as local system (not even sure if that is necessary but thats 
another matter) it requires administrative privielges to install, which is 
fine. But after installing the service the red5 wrapper.exe should no longer 
have the full read/write permission assigned to all local users. A low 
privileged local user can simply replace wrapper.exe with cmd.exe, restart the 
workstation and then they have highly privileged local system access.

Original comment by myleshos...@gmail.com on 10 Sep 2013 at 3:51

GoogleCodeExporter commented 9 years ago 
Thanks for the heads-up; we'll probably just add a notice in the installer 
about the possible issue.

Original comment by mondain on 10 Sep 2013 at 3:54

GoogleCodeExporter commented 9 years ago 
The tanuki wrapper has been replaced by Apache commons Daemon; its not yet 
working properly but you can follow the progress here: 
https://github.com/Red5/red5-service

Original comment by mondain on 18 Apr 2014 at 2:46