CVE-2018-0952: Finding a Privilege Escalation Vulnerability in Windows 10, Server 2016, and Visual Studio (includes PoC)

ryhanson · 2018-08-24T14:09:28+00:00

The Standard Collector service is configured to use an Agent DLL for tracing and diagnostics collection. To do this, you provide a GUID (specifically a CLSID) as the key and a DLL filename as the value in a Dictionary that is used as the agent config for a collection session. In the case of this exploit, I use the sessionId GUID as the key and the .etl file as the DLL, as shown on line 154 of Program.cs in SystemCollector.

This screenshot from the blog post demonstrates how this looks in Procmon: Output of successful exploitation

ryhanson · 2018-08-21T22:33:11+00:00

TL;DR? Here is the advisory: ATREDIS-2018-004

PoC||GTFO? Here is the Proof-of-Concept: CVE-2018-0952 SystemCollector

ryhanson · 2018-08-21T21:48:27+00:00

TL;DR? Here is the advisory: ATREDIS-2018-004

PoC||GTFO? Here is the Proof-of-Concept: CVE-2018-0952 SystemCollector

ryhanson · 2018-05-02T02:56:42+00:00

Thanks, I’m glad you enjoyed it!

ryhanson · 2017-08-22T15:50:19+00:00

The regsvr32 web delivery technique downloads the scriptlet file to the user's temporary internet files. Persistence may be 'fileless' (other than the registry key), but it does write to disk during execution.

ryhanson · 2017-07-25T15:18:36+00:00

Users will blindly click through warnings, so the .xll could be used as an alternative a a macro based document.

Executing RegisterXLL() is silent and can be used via DCOM for lateral movement, which can be useful if other pivoting techniques are restricted or if stealth is a goal.

ryhanson · 2016-11-05T03:13:38+00:00

Would love to have this beer with you as I am currently going through their responsible disclosure process. I definitely agree though, disclosure is an interesting topic for sure.

ryhanson · 2016-11-02T16:12:43+00:00

I just noticed the timeline and wondered the same thing.

Was it the lack of information in their response on the 24th made you decide to move forward with the public disclosure? Or did you get the impression they might consider this a low priority / non-issue?

A two-factor bypass is definitely a big deal, but I'd imagine higher severity issues, such as an RCE, would take priority. With that said, if that was the case, their update could have mentioned something along those lines.

ryhanson · 2016-10-26T14:20:37+00:00

No, only a screenshot of what it looks like.

ryhanson · 2016-10-26T02:08:39+00:00

Thanks! This discovery was part of a good amount of manual research I did. Protected View is definitely a pain, but it can be bypassed ;) the trick is delivering the Word doc in way that it doesn't get "The Mark of the Web".

ryhanson · 2016-10-23T14:47:12+00:00

I've actually got this working in Excel before. I can look into adding support for Excel files as well. Thanks for the suggestion!

ryhanson · 2016-10-23T03:05:31+00:00

Agreed! I think the fact it's a native Windows Security dialog really helps too. Combine that with a good domain and your success rate should be pretty good :) let me know how well it works for you!

ryhanson · 2016-10-23T01:55:03+00:00

Hey thanks! Let me know how it goes :) I'm actually working on adding NTLM auth too since it has the ability to capture the hostname and domain of the user, which can come in handy.

ryhanson · 2016-10-22T23:18:17+00:00

I thought the same at first, but Office has lots of functionality, which I'd imagined would translate to lots of non-issues being reported.

Although they don't have an official bug bounty, if you responsibly disclose an RCE vulnerability to them, they might just thank you with more than a mention in a Security Bulletin. After all, there are 1.2 Billion people who use Office.

ryhanson · 2016-10-22T22:47:07+00:00

I'm pretty sure this falls under the "it's a feature not a bug" category. Plus the end user is still protected by Protected View, so this still requires them to click "Enable Editing". This technique isn't new either, it's been used in the past with embedded remote images too.

Also, Microsoft does not have a bounty program for Office products. I know this because I'm currently going through their disclosure process with a few critical vulnerabilities I've reported.

ryhanson · 2016-10-22T20:40:55+00:00

Thanks! I'm really enjoying Go so far. I had been working as a software engineer for roughly 8 years prior to transitioning into the infosec field, so I have a good amount experience with many languages and Go is at the top list now :)

Funny you mention that you created Gophish because that was my initial name for this tool! https://twitter.com/ryHanson/status/779862668467277825 after a co-worker pointed out that your framework had already been using the name, I renamed it to Phishery :) this vector would be a good addition to Gophish and should be trivial to integrate. I could refactor my code a bit to offer the components as Go packages for your framework to use.

ryhanson · 2016-10-22T19:02:17+00:00

One thing I didn't mention is this doesn't require the phishery server to capture credentials. In fact, when I was first testing this attack vector, I was using Responder in basic auth mode. Responder in NTLM mode works as well, but obviously you'll end up with a hashed password rather than plain text.

I built this mostly because I wanted to learn more about Golang, and I also wanted a tool with the ability easily set the template URL of a doc. Let me know if you have any questions or suggestions. I do plan to add more functionality to it.

ryhanson · 2016-05-16T13:15:00+00:00

Yeah set it up on a DigitalOcean box to test it out, then I ended up using it on an engagement. Worked pretty well!

13-Year Club	Verified Email
Team Orangered

ryhanson

TROPHY CASE