• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

At least one improperly configured Windows service may have a privilege escalation vulnerability.

New Here ,
May 18, 2023 May 18, 2023

Copy link to clipboard

Copied

How do you remediate the below issue after a Tenable scan reports the below

 

Plugin Output:
Path : c:\coldfusion2018\cfusion\bin\coldfusionsvc.exe
Used by services : ColdFusion 2018 Application Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swagent.exe
Used by services : ColdFusion 2018 ODBC Agent
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swstrtr.exe
Used by services : ColdFusion 2018 ODBC Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jetty\jetty.exe
Used by services : ColdFusion2018Add-onServices
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jnbridge\cfdotnetsvc.exe
Used by services : ColdFusion 2018 .NET Service
File write allowed for groups : Authenticated Users (S-1-5-11)

Views

749

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

You'd want to identify the group (S-1-5-11) and its users, and decide whether to remove its permissions from that folder--or remove the group if it's some old unneeded one (the name seems unusual).

 

The only user that needs write access to that folder is the user running the cf odbc services (viewable in the Windows Services panel), which by default is the System account (and which has write permission by default). 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

Can I remove the authenticated users and then add Local system? Will that break anything?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

That should work fine, assuming CF and related services are running in the Local System security context.

 

Dave Watts, Eidolon LLC 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

Strange. I suspect that something was changed in your ColdFusion 2018 installation.

 

I say this because, when ColdFusion is installed, the files in the following directories are Read-Only by default:

  • c:\coldfusion2018\cfusion\bin
    c:\coldfusion2018\cfusion\db\slserver54\bin
    c:\coldfusion2018\cfusion\jetty
    c:\coldfusion2018\cfusion\jnbridge

 

Take the first directory, for example. If you navigate to c:\coldfusion2018\cfusion\, right-click on bin and select Properties, you should see something like:

BKBK_0-1684498743528.png

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

The "Authenticated Users" group is a dynamic one, consisting of any user who's successfully authenticated. You can restrict these directories to the CF user account and an administrator.

 

Dave Watts, Eidolon LLC 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

Hey, Dave. In your experience, does that message they showed add that number--in their case, (S-1-5-11)--when displaying it, and when indeed its the only group of that name (authenticated users) on that system?

 

I'd thought I'd seen that number added when it was not, but I could be confusing matters. 

 

Anyway, let's all see what the op may offer. We 3 musketeers have given them plenty to consider.  🙂

 

Also, Dave, please see a direct message I'd sent within here a couple of days ago. (I often miss them, myself.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

@uhururuto12 , you can find out the details of the user(s) S-1-5-11. To do so, proceed as follows:

  1.  Download the ZIP file LogonSessions from the Microsoft website.
  2.  Copy the downloaded file, LogonSessions.zip, to C:\temp. Extract it there.
         The resulting directory, C:\temp\logonSessions, contains the files Eula.txt, logonsessions.exe, logonsessions64.exe and logonsessions64a.exe. 
  3.  Still inside C:\temp, create a file containing the following command:
    @ECHO OFF 
    :: This batch file reveals Windows log-on processes.
    C:\temp\logonSessions\logonsessions64.exe -p 
    PAUSE
    and save it as getLogonSessions.bat 

  4.  Right-click on C:\temp\getLogonSessions.bat and select Run as Administrator.
  5.  Scroll along in the CMD window and locate the sessions with an Sid value of S-1-5-11.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

LATEST

I do know that's the RID (relative identifier) for the "Authenticated Users" group and is used as part of the Windows SID for that group. It's not really a new thing, but because membership is contextual so to speak, most people don't think too much about it. It's a great convenience compared to the Everyone Group or any of the other groups with fixed membership. I don't know which versions of Windows show the SID along with the name of the group or user.

 

https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

 

Also, I did see the DM and got in touch with the person. Thanks!

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied


Based on the Tenable scan report you provided, it appears that the ColdFusion 2018 application server and its associated components have file write permissions allowed for the "Authenticated Users" group (S-1-5-11). This could potentially pose a security risk as it allows any authenticated user on the system to modify these files.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation