Local Privilege Escalation via EXE Hijacking

Local Privilege Escalation (LPE) is a vulnerability that allows a user or application to escalate their privileges on a local machine. EXE hijacking is a technique aimed at getting a Windows application or service to execute a malicious executable file (EXE) located in the same directory as the legitimate executable. This attack method exploits security flaws or configuration errors to execute a malicious file, often allowing an attacker to escalate their privileges on the system.

1. What is EXE Hijacking?

EXE hijacking specifically targets the executable files that an application or service runs. On Windows, when an application wants to execute an executable file, it searches for this file in a specific order through directories. EXE hijacking attacks attempt to exploit this search order to get a malicious file executed instead of the legitimate file.

For example, if an application wants to execute a file named "notepad.exe", the operating system will first look for this file in the application's directory. If there is a malicious "notepad.exe" file in this directory, the operating system will execute it.

2. How Does Privilege Escalation Occur via EXE Hijacking?

An attacker can escalate privileges using an EXE hijacking attack by following these steps:

1. Identify the Target Application or Service: The attacker first identifies an application or service running with high privileges on the system. This is often system services or third-party applications running with administrative privileges.
2. Find a Suitable Target for EXE Hijacking: The attacker examines the executable files that the target application or service attempts to execute. They determine whether the application or service specifies the file path explicitly or searches in system-specific directories. For example, if the application or service runs the command "notepad.exe" instead of "C:\Windows\System32\notepad.exe", the attacker can place a malicious file with the same name in the directory.
3. Place the Malicious EXE File: The attacker places a malicious EXE file with the same name as the original executable in the target directory. This malicious file might be a shell or other malicious software controlled by the attacker.
4. Trigger the Application or Service to Run the Malicious File: The attacker triggers the target application or service to run the malicious file. This can be done through manual user interaction or a scheduled task that runs at a specific time.
5. Privilege Escalation: When the application or service runs the malicious EXE file, it runs with the application's or service's privileges. If the application or service runs with administrative privileges, the malicious file will also run with administrative privileges. Thus, the attacker can elevate from a low-privileged account to an administrative account.

3. Basic Causes of EXE Hijacking

There are several main reasons why EXE hijacking attacks can be successful:

• Incorrect File Path Checking: If an application or service calls a file by only specifying the file name without specifying the full file path, this allows a malicious file to replace the legitimate file.
• Incorrect File Permissions: Incorrectly configured permissions on files in system directories can allow attackers to add files to or modify existing files in these directories.
• Incorrect Directory Search Order: In some versions of Windows, the search order for executable files can allow attackers to perform EXE hijacking attacks by placing files in certain directories.

4. Technical Details and Examples of EXE Hijacking

To better understand EXE hijacking attacks, let’s look at some technical examples:

Example 1: Loading EXE from an Incorrect Path

Suppose a Windows application running in the directory "C:\Program Files\App\myapp.exe" calls the system("notepad.exe") function. If there is a malicious file named "notepad.exe" in this directory, the operating system will first search in this directory and run "C:\Program Files\App\notepad.exe". If this file contains malicious commands, the attacker could run code with administrative privileges.

Example 2: Similarities with DLL Hijacking

EXE hijacking is similar to a DLL hijacking attack. However, DLL hijacking targets dynamically linked libraries (DLL files), while EXE hijacking targets executable files directly. When an application calls the LoadLibrary("example.dll") function, the operating system first searches for the DLL file in the current directory. If a malicious "example.dll" file is present in the same directory, the operating system will load it.

Example 3: EXE Hijacking on Services

A Windows service might be configured to execute a specific EXE file on startup. For example, if a backup service runs a file named "backup.exe" from a specific directory, and this directory is writable by users, the attacker could place a malicious "backup.exe" file in this directory to trigger the service to run the malicious file.

5. Measures to Prevent EXE Hijacking

To protect against EXE hijacking attacks, the following measures can be taken:

• Use Full File Paths: Applications and services should always use the full file path when calling files.
• Properly Configure File and Directory Permissions: File and directory permissions in system directories should be configured to allow write access only to necessary users.
• Manage Directory Search Order: The directory search order in Windows should be managed securely, and access to certain directories should be restricted for critical applications.
• Conduct Security Reviews of Applications and Services: All applications and services should be regularly reviewed for security vulnerabilities.

Demo Application: Privilege Escalation via EXE Hijacking

This demo illustrates an EXE hijacking attack on a Windows operating system.

Requirements

• A Windows machine
• An administrative user account
• PowerShell or CMD capabilities

Step 1: Prepare the Demo Environment

mkdir C:\Temp

Step 2: Create the Malicious EXE File

echo 'Start-Process powershell -ArgumentList "-NoProfile -WindowStyle Hidden -Command `"Start-Sleep 5; Add-LocalGroupMember -Group Administrators -Member hacker`""' > C:\Temp\backup.exe

This command is designed to add a user named "hacker" to the administrators group.

Step 3: Perform the EXE Hijacking Attack

If a service or application is running "backup.exe" from the "C:\Temp" directory, then when the application starts, our malicious file will be executed with administrative privileges.

Step 4: Verify the Privilege Escalation

After the application or service runs the malicious "backup.exe" file, we can check if the "hacker" user has administrative privileges:

net user hacker

If the "hacker" user is listed and has administrative privileges, the EXE hijacking attack has been successfully executed.

Conclusion

EXE hijacking is an effective technique commonly used in local privilege escalation attacks. This article and demo application show how this attack works and how system administrators can protect against such threats. Applications and services should always be configured and monitored according to security best practices.