Windows MultiPoint Server 2011 SP1 RpcEptMapper and Dnschade Local Privilege Escalation

2021.11.29
Credit: it
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation # Date: 11/11/2021 # Exploit Author: it # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518 # Version: Version 6.1 Compilation 7601 Service Pack 1 # Tested on: Microsoft Windows MultiPoint Server 2011 - English Version Description Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache Vulnerability Type: Privilege Escalation Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1 Language OS: English The Vulnerability Clément wrote a very useful permissions-checking tool for Windows that find various misconfigurations in Windows that could allow a local attacker to elevate their privileges. On a typical Windows 7 and Server 2008 R2 machine, the tool found that all local users have write permissions on two registry keys: HKLM\SYSTEM\CurrentControlSet\Services\Dnscache HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper These didn't immediately seem exploitable, but Clément did the legwork and found the Windows Performance Monitoring mechanism can be made to read from these keys - and eventually load the DLL provided by the local attacker. To most everyone's surprise, not as the local user, but as Local System. In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it. About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/ I detected that in another version of windows it is also vulnerable, Windows Multipoint 2011, which can affect customers who use extended license; I can't say if there are any other vulnerable unpublished versions besides the ones I've posted here How to Produce Exploitation Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make Release x64 and Compile. Is necessary install microsoft visual c++ redistributable on Windows MultiPoint 2011 for execute exploit The exploit Add Subkeys in HKLM\SYSTEM\CurrentControlSet\Services\Dnscache HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance Library = Name of your performance DLL Open = Name of your Open function in your DLL Collect = Name of your Collect function in your DLL Close = Name of your Close function in your DLL and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI Tools and Exploit: https://github.com/itm4n/PrivescCheck Exploit: https://github.com/itm4n/Perfusion


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top