CVE-2020-11799 - Z-Cron Lack of Access Control

Website URL: https://www.z-cron.com/

Version: 5.6 Build 04

Description: Z-Cron is a task scheduling software that enables Administrators and Users to schedule tasks on a system. Exploit Details: Z-Cron tasks are shared globally throughout the system, enabling any user to open the software, modify a task (which is classified as Insecure Access Control), and have it executed. If the executable is stored in a publicly accessible location, all logged in users will have the task executed.

Video Demonstrating the Exploit: https://youtu.be/hFFhCZ-4qSw

Steps To Reproduce

Create a scheduled task (In our instance, we’re going to create the task as a privileged user)

Ensure the task is being executed on some time of a schedule in the scheduler tab, for example, here we’re going to create a task to execute every 5 minutes

Ensure the credentials of the user you want the task to run as are implemented

Ensure the task is saved, run a demo and make sure the task executes successfully

Above is a screenshot of the task being executed as well as the log files.

Now we’re going to begin the exploitation portion – An unprivileged user can modify the privileged users task

First, create a payload, I’m going to use msfvenom to generate a Meterpreter payload and upload it to a remote share:

Next we’re going to put the payload in a publicly accessible location, and modify the task as a normal, different, unprivileged user:

In the background we have exploit/multi/handler listening for the reverse shell to get executed on the 5 minute mark:

Watch out for all the incoming shells. For every user that has been logged into the box, you’ll recieve a shell:

This should be a lesson about access control and how powerful it is when any user can modify something that a privileged user has created.

Credits:

Thank you to @OptionalCTF (https://twitter.com/optionalctf) for editing the video demonstrating the exploit and @OrielOrielOriel (https://twitter.com/OrielOrielOriel) for confirming my sanity throughout this long-long-long night.

*Posts*

2024-CISA-ICS-CTF---Register-the-Dots.md

2024-CISA-ICS-CTF---Read-Askew-Manuscripts.md

2024-CISA-ICS-CTF---Mission-Inconceivable.md

2024-CISA-ICS-CTF---Modeling-Trains.md

2024-CISA-ICS-CTF---Follow-the-Charts.md

2024-CISA-ICS-CTF---Extend-Your-Stay.md

ROP-Emporium---Split.md

ROP-Emporium---Ret2Win.md

Deception-in-Depth---Overview-of-Kerberos,-Service-Accounts-&-Attacks---Part-1.5.md

Deception-in-Depth---Hiding-AD-Users-and-Groups---Part-1.md

Backdooring-KeePass-for-Fun-and-Profit.md

Deploying-BloodHound-Community-Edition-for-Pentesters.md

Enriching-BloodHound-Data.md

Programming-with-Impacket---Working-with-SMB.md

Source-Zero-Con-Writeup---Biscuits.md

Source-Zero-Con-Writeup---Compromised.md

Recovering-Your-Straight-Talk-Account-Number.md

Deception-in-Depth---Building-Deceptions-from-Breaches.md

Deceiving-Bloodhound---Remote-Registry-Session-Spoofing.md

Analyzing-a-Brute-Ratel-Badger.md

Cobalt-Strike-Beacon-Analysis-from-a-Live-C2.md

Source-Zero-Con-CTF---STL-Killer.md

Source-Zero-Con-CTF---Baby-XBee-1-2.md

Building-an-Active-Directory-Lab---Part-2.md

Deception-in-Depth---Spoofing-SMB-User-Sessions-Improved.md

Staged-vs-Stageless-Payloads.md

Building-an-Active-Directory-Lab---Part-1.md

Email-Spoofing---A-Full-Guide.md

OverWolfHelperx64---DLL-Injection-LOLBAS.md

Deception-in-Depth---LSASS-Injection.md

Deception-in-Depth---Spoofing-Logged-in-Users.md

How-Secure-is-Kali-Out-of-the-Box?.md

Remote-NTLM-Relaying-via-Meterpreter.md

Certification-Talk.md

Google-Is-Your-Best-Friend.md

Decrypting-TACACS+-Traffic-in-Wireshark.md

CVE-2020-12447-LFI-Within-Onkyo-TX-NR585-Web-Interface.md