SureCloud were asked to review the deployment of a variety of remote support and automation tools. We found a local privilege escalation exploit within the Bomgar/Beyond Trust Remote Support system.
During an engagement last year we were asked to review the deployment of a variety of remote support and automation tools for one of our clients. One of the deployed tools was Bomgar/Beyond Trust Remote Support. It’s similar in functionality to other remote support tools like LogMeIn and GoTo Assist.
The tldr; is that we found a privilege escalation vulnerability that leveraged a race condition in their “Elevation Service”.
The Elevation System is an additional feature used to allow technicians to be granted temporary admin privileges on a system without the need to manage local Windows security groups. The privileges of who can use the Elevation Service is handled by the Beyond Trust Remote Support app.
Once the Elevation Service is installed, a Windows service is created named “Bomgar Automatic Elevation Service”. The service is comprised of the bgelvsvc.exe
executable running under the high-privilege SYSTEM
account.
When an end-user begins a support session, they download and run an executable provided by entering a code in the support portal. This executable, bomgar-scc-[randomstring].exe
, is then run by the end user. Once started, the executable is deleted, and a set of new applications are created and started within the C:\ProgramData
folder.
If the elevation service is not installed, this is where the workflow ends and the technician is granted access with the same permissions as the user requesting support. In this workflow any elevated requests require the technician to authenticate with their own credentials.
If the elevation service is installed, the temporary application which was placed in the C:\ProgramData
folder submits a command over the named pipe BgElvSvc
. The command submitted over the named pipe requests the execution of the file path C:\ProgramData\bomgar-scc-[hex value]\bomgar-scc.exe
. This file is then checked by the Elevation Service and executed as SYSTEM
if the checks are passed.
While the privileges set for the folder C:\ProgramData\bomgar-scc-[hex value]
prevent adding any additional files bomgar-scc.exe
file can be copied to any location, the named pipe command can be given the new path and the check will still pass. But this doesn’t grant any additional access.
However, bomgar-scc.exe
imports three DLL library files from its current working directory. So we dropped in an msfvenom DLL payload matching the name of the files that are being automatically imported. (DLL Hijacking)
bomgar-scc.exe
file from C:\ProgramData
to the desktopbcrypt.dll
file on the desktopBgElvSvc
named pipe requesting elevationbomgar-scc.exe
fileSYSTEM
and immediately imports the custom bcrypt.dll
SYSTEM
Elliott Thompson, one of SureCloud’s Principal Security Consultants, delivers on a variety of large and unusual pen-testing engagements. Elliott engages targets throughout Europe, Asia, and the Middle East through infrastructure testing and reverse engineering to physical, social engineering and red teaming. Elliott has also appeared on the BBC as a cybersecurity expert, is a CVE identifier, CHECK Team Leader and CREST Registered Tester.
Elliott is passionate about security and involved in various article pieces for Infosec Magazine, the BBC and the UK consumer watchdog Which?. Furthermore, last year Elliott discovered and disclosed an exploit on Android tablets, which allowed attackers full access to the device including access to the webcam, speakers and microphone.
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.