Skip to main content
U
uhururuto12
Participant
May 19, 2023
Question

At least one improperly configured Windows service may have a privilege escalation vulnerability.

  • May 19, 2023
  • 4 replies
  • 1575 views

How do you remediate the below issue after a Tenable scan reports the below

 

Plugin Output:
Path : c:\coldfusion2018\cfusion\bin\coldfusionsvc.exe
Used by services : ColdFusion 2018 Application Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swagent.exe
Used by services : ColdFusion 2018 ODBC Agent
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swstrtr.exe
Used by services : ColdFusion 2018 ODBC Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jetty\jetty.exe
Used by services : ColdFusion2018Add-onServices
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jnbridge\cfdotnetsvc.exe
Used by services : ColdFusion 2018 .NET Service
File write allowed for groups : Authenticated Users (S-1-5-11)

    This topic has been closed for replies.

    4 replies

    J
    Josh28586295ez4u
    Participating Frequently
    May 19, 2023


    Based on the Tenable scan report you provided, it appears that the ColdFusion 2018 application server and its associated components have file write permissions allowed for the "Authenticated Users" group (S-1-5-11). This could potentially pose a security risk as it allows any authenticated user on the system to modify these files.

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    May 19, 2023

    The "Authenticated Users" group is a dynamic one, consisting of any user who's successfully authenticated. You can restrict these directories to the CF user account and an administrator.

     

    Dave Watts, Eidolon LLC 

    Dave Watts, Eidolon LLC
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    May 19, 2023

    Hey, Dave. In your experience, does that message they showed add that number--in their case, (S-1-5-11)--when displaying it, and when indeed its the only group of that name (authenticated users) on that system?

     

    I'd thought I'd seen that number added when it was not, but I could be confusing matters. 

     

    Anyway, let's all see what the op may offer. We 3 musketeers have given them plenty to consider.  🙂

     

    Also, Dave, please see a direct message I'd sent within here a couple of days ago. (I often miss them, myself.) 

    /Charlie (troubleshooter, carehart. org)
    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    May 19, 2023

    @uhururuto12 , you can find out the details of the user(s) S-1-5-11. To do so, proceed as follows:

    1.  Download the ZIP file LogonSessions from the Microsoft website.
    2.  Copy the downloaded file, LogonSessions.zip, to C:\temp. Extract it there.
           The resulting directory, C:\temp\logonSessions, contains the files Eula.txt, logonsessions.exe, logonsessions64.exe and logonsessions64a.exe. 
    3.  Still inside C:\temp, create a file containing the following command:
      @ECHO OFF 
:: This batch file reveals Windows log-on processes.
C:\temp\logonSessions\logonsessions64.exe -p 
PAUSE
      and save it as getLogonSessions.bat 

    4.  Right-click on C:\temp\getLogonSessions.bat and select Run as Administrator.
    5.  Scroll along in the CMD window and locate the sessions with an Sid value of S-1-5-11.
    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    May 19, 2023

    Strange. I suspect that something was changed in your ColdFusion 2018 installation.

     

    I say this because, when ColdFusion is installed, the files in the following directories are Read-Only by default:

    • c:\coldfusion2018\cfusion\bin
      c:\coldfusion2018\cfusion\db\slserver54\bin
      c:\coldfusion2018\cfusion\jetty
      c:\coldfusion2018\cfusion\jnbridge

     

    Take the first directory, for example. If you navigate to c:\coldfusion2018\cfusion\, right-click on bin and select Properties, you should see something like:

     

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    May 19, 2023

    You'd want to identify the group (S-1-5-11) and its users, and decide whether to remove its permissions from that folder--or remove the group if it's some old unneeded one (the name seems unusual).

     

    The only user that needs write access to that folder is the user running the cf odbc services (viewable in the Windows Services panel), which by default is the System account (and which has write permission by default). 

    /Charlie (troubleshooter, carehart. org)
    U
    uhururuto12Author
    Participant
    May 19, 2023

    Can I remove the authenticated users and then add Local system? Will that break anything?

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    May 19, 2023

    That should work fine, assuming CF and related services are running in the Local System security context.

     

    Dave Watts, Eidolon LLC 

    Dave Watts, Eidolon LLC
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices