search
LinkedInGithub
githubEdit

hyper-v-administrators

takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

sc.exe start MozillaMaintenance

Exploit

Hyper-V admin-EOP exploitarrow-up-right

Post

Hyper-admin-to-systemarrow-up-right

hashtag
Take ownership of a file

Example of Mozilla maintenance service

./maintenanceservice.exe
takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
sc.exe start MozillaMaintenance

hashtag
Key Points:

  • Virtualization Access: - Members of Hyper-V Administratorsarrow-up-right have full control over virtual machines. - This allows them to clone Domain Controllers and extract NTDS.dit files.

  • .vhdx File Deletion and Hard Links: - When a .vhdx file is deleted, vmms.exe attempts to restore permissions as SYSTEM. - This can be abused to create hard links to protected files. - This is based on CVE-2018-0952 or CVE-2019-0841, or an application that installs a service that runs as system.

  • Mozilla Maintenance Service Example: - The Mozilla Maintenance Service can be targeted for this exploit. - A PowerShell script can be used to grant full control over the maintenanceservice.exe file. - The file can then be replaced with a malicious executable. - Starting the service results in SYSTEM-level command execution.

  • Mitigation: - The hard-link exploit has been mitigated by the March 2020 Windows security updates Approach, Commands, Tools, and Techniques: 1. Virtualization Access:

  • Technique: - Clone virtualized Domain Controllers. - Mount virtual disks offline. - Extract NTDS.dit files.

  • Tools: - Hyper-V Manager. - Virtual Disk tools.

  • Outcome: - Domain wide credential access. 2. Hard-Link Exploit:

  • Technique: - Delete a .vhdx file. - Create a hard link to a protected file (e.g., maintenanceservice.exe). - Replace the linked file with a malicious executable. - Start the associated service.

  • Tools: - PowerShell (for hard-link creation). - takeown (for file ownership). - sc.exe (for service management).

  • Commands: - takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe - sc.exe start MozillaMaintenance

  • PowerShell: - PowerShell script to create the hard link and modify file permissions.

  • Outcome: - SYSTEM level command execution. 3. Considerations:

  • Vulnerability: - The hard-link exploit relies on specific vulnerabilities (CVE-2018-0952, CVE-2019-0841) or vulnerable services. - The core hard link exploit is patched as of March 2020.

  • Mitigation: - Keep systems patched. - Implement least privilege for Hyper-V administrators. - Monitor for unauthorized virtual machine operations.

  • Virtualization Security: - Treat virtualized Domain Controllers with the same security as physical ones. - Segregate virtualization administration.

PreviousExploiting Event Log Readers Group for Security Log AccessNextprint-operators

Last updated