Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Seagate is a type of network attached storage device. The author found a windows desktop client called Seagate Media Sync, a tool for copying media files to Seagate disks.

The author chose to review the internal communications between the low-privileged UI and the high-privileged services. While looking at the process explorer, the author noticed that this created a named pipe. The pipe was used for communication.

The pipe communication was literally writing bytes to a file; this appears to be a custom protocol with two writes occurring. After analyzing the hex data and reverse engineering the code, the author figured out the format. The first block was a 4 byte length field to indicate the body of the message. The message has a signature (0x4B5C), a major command ID, a minor command ID. After this, the information for the specific command is sent.

The author mapped out all of the major and minor command IDs to see what they do. One of the more interesting ones was major command 0x10 and minor 0x400. This command was writing a user controlled registry key with an arbitrary value. Damn, that's a super powerful primitive!

The author wrote their own client to test this out and it worked! To become SYSTEM, an attacker can registry their own service by writing a path to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Once the computer is rebooted, the attackers code would run.

Overall, the reverse engineering of the custom protocol and the vulnerability were quite unique in my mind. It was neat see the author take this to full privilege escalation to SYSTEM on Windows.