Wednesday, September 22, 2021

Trojan.Win32.Agent.xaamkd Insecure Permissions

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/095651e1704b501123b41ea2e9736820.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Trojan.Win32.Agent.xaamkd
Vulnerability: Insecure Permissions
Description: The malware creates an dir with insecure permissions under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.
Type: PE32
MD5: 095651e1704b501123b41ea2e9736820
Vuln ID: MVID-2021-0342
Disclosure: 09/20/2021


Exploit/PoC:
C:\>cacls SangClub
C:\SangClub BUILTIN\Administrators:(OI)(CI)(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

C:\>dir SangClub
Volume in drive C has no label.

Directory of C:\SangClub

03/17/2015 06:08 AM 172,032 AniGIF.ocx
11/06/2009 07:56 AM 34,882 audioplay.swf
01/16/2009 09:06 AM 566,272 bsFileClientSDK.dll
06/24/2018 02:06 AM 177,525 CandleFormation.SS7
06/24/2018 02:06 AM 39,164 CandleFormUsers.SS7
11/02/2007 01:36 AM 1,337,264 Codejock.Controls.v11.2.1.ocx
04/22/2012 10:01 PM 1,931,256 Codejock.Controls.v15.2.1.0423.ocx
07/05/2012 09:28 AM 103 CommInfo.ini
09/17/2021 08:07 PM DIR dat
06/15/2003 09:05 AM 133,632 DWEASY36.OCX
06/15/2003 09:02 AM 115,712 DWSBC36.OCX
10/26/2003 12:02 AM 145,920 DWSHK36.OCX
09/14/2003 04:30 PM 77,824 DWSPY36.dll
04/22/1999 09:50 AM 14,848 dwspy5.dll
10/13/1999 01:00 AM 122,880 dwspyvb6.dll
02/22/2007 05:27 AM 344,064 FLICapture.dll
04/22/2011 11:44 AM 335,872 fmtkit60.dll
08/17/1999 08:54 PM 180,224 ijl11.dll
09/17/2021 08:07 PM DIR Image
07/21/1998 11:00 AM 13,824 INETKO.DLL
05/28/2019 10:02 AM 3,565,736 JetSound.exe
05/28/2019 09:49 AM 751,464 LiveStart.exe
03/08/2004 10:00 AM 132,880 MSINET.OCX
06/01/2011 02:58 AM 27 Regcom.bat
03/22/2009 03:47 AM 10,000 regsvr32.exe
11/16/2016 07:44 AM 515,064 SabuStart.exe
05/28/2019 09:49 AM 128,872 SangCapture.exe
06/22/2019 11:57 PM 12,318,776 SangClub.exe
03/28/2008 12:44 AM 143,360 Sangcomm.dll
05/28/2019 09:50 AM 4,081,512 SangPlayer.exe
05/29/2019 12:27 AM 3,629 ScoreList.SS7
03/17/2015 06:08 AM 77,824 Shape.ocx
02/01/2007 08:51 AM 626,688 SKComdCM.dll
02/01/2007 08:51 AM 53,248 SKComdEM.dll
02/01/2007 08:51 AM 503,808 SKComdIF.dll
02/01/2007 08:51 AM 73,728 SKComdSC.dll
12/26/2006 09:30 PM 65,536 SKCommIC.dll
04/07/2007 05:08 AM 63,120 skcommtm.exe
11/26/2006 08:42 PM 28,672 SKCommWB.exe
09/17/2021 08:07 PM DIR Skins
01/20/2006 02:00 AM 223,232 sqlite3.dll
09/17/2021 08:07 PM DIR Sys
05/28/2019 09:50 AM 4,970,344 VODPlayer.exe
03/21/2006 09:45 PM 292,696 XceedFtp.dll
01/10/2001 04:12 AM 147,456 XecureS.dll
01/05/2017 07:49 PM 237,568 XingAPI.dll
01/02/2017 06:30 AM 28,672 xingAPI4VB.dll
43 File(s) 34,787,210 bytes

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore