23 Июн, 2023

Local privilege escalation (LPE) vulnerability in Windows [CVE-2023-21746]

In the ever-evolving landscape of cybersecurity, a newly discovered vulnerability has captured the attention of security professionals and researchers alike. Known as “Local Potato” and identified as CVE-2023-21746, this local privilege escalation (LPE) vulnerability in Windows has raised concerns due to its potential impact. Reported to Microsoft on September 9, 2022, by Andrea Pierini and Antonio Cocomazzi, the flaw enables an attacker with limited privileges to gain unauthorized access to sensitive files with SYSTEM-level control. Although Microsoft swiftly released a patch in the January 2023 update, the implications of this vulnerability extend beyond its initial scope. In this blog post, we delve into the intricacies of Local Potato, exploring its origins, the potential risks it poses, and the supplementary vectors that allow for elevated privileges and command execution as SYSTEM. Brace yourself for an in-depth exploration of this significant security concern, which has seen notable PoC demonstrations in recent months, including one involving the exploitation of the StorSvc service. 

NTLM Authentication: Unraveling the Process 

When it comes to NTLM authentication, the standard procedure involves a user seeking to authenticate themselves with a remote server. This authentication process revolves around three crucial packets: 

Packet 1: Type 1 Message In this initial step, the client initiates the authentication process by sending a packet to the server, negotiating the terms of the authentication. Optionally, this packet may include the client machine’s name and its domain. Upon receiving the packet, the server can verify that the authentication request originates from a different machine. 

Packet 2: Type 2 Message Following the Type 1 Message, the server responds to the client with a challenge. This “challenge” is essentially a random number generated to authenticate the client, eliminating the need to transmit their credentials through the network. By providing a unique challenge, the server establishes a secure means of validating the client’s identity. 

Packet 3: Type 3 Message To complete the authentication process, the client utilizes the challenge received in the Type 2 Message and combines it with the user’s password hash. This combination generates a response to the challenge, which is then sent to the server as part of the Type 3 message. By receiving this response, the server can verify if the client possesses the correct user’s password hash without the need to transfer it through the network. This approach ensures the confidentiality and integrity of the user’s credentials during the authentication process. 

NTLM Local Authentication: Simplifying the Process 

In scenarios where a user aims to log into a service hosted on the same machine, NTLM local authentication comes into play. With both the client and server applications residing on the identical machine, the challenge-response mechanism becomes unnecessary. Instead, authentication takes a different approach by establishing a Security Context. While the intricacies of a Security Context won’t be delved into here, envision it as a collection of security parameters tied to a connection, encompassing the session key and the user whose privileges will be utilized for the connection. 

Although the three messages remain unchanged, the authentication information undergoes modifications as follows: 

Message 1: Type 1 Message To initiate the connection, the client sends this message, which serves to negotiate authentication parameters, akin to the previous process. Additionally, it includes the client machine’s name and domain. The server can verify the client’s name and domain, initiating the local authentication process only if they match its own. 

Message 2: Type 2 Message In response, the server generates a Security Context and conveys its identification (ID) to the client through this message. By utilizing the Security Context ID, the client establishes an association with the connection, solidifying their authentication. 

Message 3: Type 3 Message Upon successfully associating with an existing Security Context ID, the client transmits an empty Type 3 message back to the server, indicating the successful completion of the local authentication process. 

With all steps taking place on the same machine, the need for the challenge-response mechanism is eliminated. Instead, the machine verifies the Security Context ID for both the server and client applications, streamlining the authentication process. 

How to Exploit this Vulnerability 

To exploit this vulnerability, it is essential to have a controlled testing environment with preconfigured settings. To gain practical experience and better understand the intricacies of this vulnerability, we will be conducting hands-on exercises using the tryhackme platform. You can access the specific exploit exercise by clicking on the following link: https://tryhackme.com/room/localpotato . By navigating to this exercise, you will be able to actively engage with the exploit and enhance your understanding of its inner workings 

Step 1: To commence the exploration and testing of the CVE-2023-21746 vulnerability on a local Windows machine, you can follow a series of steps outlined below. To initiate the process, begin by visiting the provided link: https://tryhackme.com/room/localpotato. On the webpage, locate the ‘Start Machine’ option and proceed to click on it. This action will trigger the launch of a pre-configured virtual machine (VM) that encompasses all the necessary vulnerable components required to test the mentioned vulnerability. Before accessing the VM, it is essential to log in to TryHackMe. Once you have successfully logged in, navigate to the ‘Join Room’ option, which will grant you access to the designated room, enabling you to start the machine within. By diligently following these instructions, you can actively engage with the vulnerability, exploring its implications within a controlled environment while conducting experiments.  

Step 2: Once the virtual machine (VM) is started, it may be necessary to make specific code modifications depending on the Windows Server being использованный. To do so, navigate to the tools folder and find the file named “storesvc_c.clocated at “C:\tools\LPE via StorSvc\RpcClient\RpcClient\storsvc_c.c“. Open the file using Notepad++. 

Step 3: Uncomment line number 5, which reads “#define WIN2019,” and comment out line number 3. Since our current machine is operating on Windows Server 2019, we will modify the file to appear as the following: 

Step 4: Once the necessary adjustments have been made, the exploit will be configured to utilize в appropriate RPC interface identifier for Windows 2019. With the code now rectified, давайте proceed by launching a developer’s command prompt through the shortcut available on your desktop. In order to build the project successfully, execute the following commands: ‘msbuild RpcClient.sln’. 

Step 5:  Now, relocate the RpcClient.exe file that является created after the build process to the desktop. 

Step 6:  To successfully compile SprintCSP.dll, our focus lies solely on modifying в DoStuff() function found at C:\tools\LPE via StorSvc\SprintCSP\SprintCSP\main.c. This modification entails incorporating a command within the function, enabling us to attain privileged access to the machine. To simplify matters, we will ensure that the DLL adds our current user to the Administrators group. Below, you can find the updated code, reflecting the replacement of the command for achieving our desired outcome. 

Step 7: Let’s proceed by launching a developer’s command prompt through the shortcut available on your desktop. To build the project successfully, execute the following commands: ‘msbuild SprintCSP.sln’. 

Step 8: Now, relocate the SprintCSP.dll file that was created after the build process to the desktop. 

Step 9: Before proceeding with the exploit, ensure that you have the necessary files, namely the LocalPotato.exe exploit, RpcClient.exe, and SprintCSP.dll, saved on your desktop. If you don’t have these files, refer back to the previous task to construct them. 

To begin, let’s first confirm that our current user is not included in the Administrators group: 

Step 10: Now, давайте attempt to copy the SprintCSP.dll file to the privileged path. However, as shown below, we encounter an “access denied” error due to insufficient privileges. Nevertheless, by leveraging the power of LocalPotato, we can bypass this limitation and successfully copy the SprintCSP.dll file into the system32 directory, even when operating with an unprivileged user account. 

Step 11 Having successfully installed our DLL, we can proceed to execute RpcClient.exe, which will initiate the invocation of SvcRebootToFlashingMode. This action effectively triggers the execution of the payload contained within our DLL. 

Step 12: To confirm the successful execution of our exploit, we can verify whether our user has been added to the Administrators group. 

Protective Measures to Mitigate Local Potato Exploits 

To thwart potential attacks leveraging the localpotato exploit, it is crucial to consider the following preventive measures: 

Patch Updates: 

To fortify your defenses, it is imperative to keep your systems up to date with the latest security patches. As the localpotato exploit targets a vulnerability specific to the Windows operating system, ensuring that all systems are promptly updated with the latest security patches is vital. By doing so, you can effectively thwart attackers from exploiting this vulnerability. It is worth noting that the vulnerability is rendered ineffective on patched operating systems. 

Least Privilege Principle: 

Implementing the principle of least privilege is a proactive approach to impede attackers from leveraging the localpotato exploit. By adhering to this principle, you limit user access to only the resources essential for their job responsibilities. Restricting privileges in such a manner makes it significantly more challenging for attackers to acquire the elevated privileges necessary to execute the exploit successfully. 

Monitoring for Suspicious Activity: 

Deploying robust monitoring tools like Splunk is instrumental in detecting and mitigating suspicious activity on your network. By vigilantly monitoring your network, you can proactively identify any signs of a potential localpotato attack. Look out for anomalous process activity or any attempts to execute malicious code. Swiftly identifying such indicators allows for timely response and mitigation measures to neutralize the threat. 

By following these preventive measures, you can enhance your overall security posture and significantly reduce the risk of falling victim to a localpotato exploit. Stay vigilant, keep systems updated, enforce least privilege, and maintain a watchful eye on network activity to safeguard your infrastructure from potential attacks. 

Другие Услуги

Готовы к безопасности?

Связаться с нами