NetSPI uncovered a local privilege escalation path in the default Microsoft Service Fabric Runtime that could let a low-privilege user reach SYSTEM access on unsecured clusters. The post details how misconfigured folder permissions, binary replacement, code injection with Mono.Cecil, a PowerShell payload, and a post-exploitation pivot using GodPotato enable a full privilege chain, along with remediation guidance. #GodPotato #ServiceFabric
Keypoints
- Unsecured Service Fabric clusters allow a low-privilege user to escalate to SYSTEM via a local privilege escalation path.
- The SFDevCluster folder permissions are writable by all authenticated users, enabling manipulation of cluster binaries.
- The researchers replace a legitimate binary (FabricFAS.exe) with a payload by renaming the original to FabricFAS_old and placing a new executable in its place (masquerading).
- Mono.Cecil is used to inject custom code into the binary’s main method, preserving normal startup behavior while enabling payload execution.
- A PowerShell reverse shell is embedded and triggered at node restart, providing initial outbound code execution.
- Privilege escalation to SYSTEM is achieved via GodPotato (potato attack) after obtaining a shell as NT Authority/NETWORK SERVICE.
- Defenses can be bypassed by Defender exclusions; removal of write/modify permissions for Authenticated Users is a recommended remediation.
MITRE Techniques
- [T1222] File and Directory Permissions Modification – Misconfigured SFDevCluster folder allows any authenticated user to modify files;
quote: ‘all authenticated users have write access to this folder and its contents.’ - [T1036] Masquerading – Original binary renamed and replaced with a different executable to blend in;
quote: ‘renamed the original binary to “FabricFAS_old” and copied calc.exe into the folder as FabricFAS.exe.’ - [T1055] Process Injection – Code injected into an existing binary via Mono.Cecil to add payload code into the main method;
quote: ‘modify the existing binary, adding our own code to the main method.’ - [T1059.001] PowerShell – PowerShell reverse shell embedded and executed to establish remote code execution;
quote: ‘PowerShell reverse shell’, ’embed a PowerShell one-liner and execute it with Process.Start.’ - [T1068] Exploitation for Privilege Escalation – Escalation to SYSTEM via a potato-based technique after gaining a shell;
quote: ‘elevate to SYSTEM via one of the potato attacks.’ - [T1562.001] Impair Defenses – Windows Defender exclusions are created to avoid detection;
quote: ‘exclusions were set up in Windows Defender. Defender did not detect or block this attack when left enabled.’
Indicators of Compromise
- [Folder] C:SFDevCluster – Directory used for cluster data and binaries (permissions misconfiguration implicated)
- [File] FabricFAS.exe – injected/modified binary used to execute payload
- [File] FabricFAS_old – renamed original binary to FabricFAS_old
- [File] FabricFaultAnalysisService.dll – target of monitoring and modification in a payload scenario
- [File] FabricHost.exe – known interacting binary mentioned in legitimate processes
- [Process] FabricFAS.exe spawning and/or being replaced during restart cycles