Created
August 13, 2022 07:40
-
-
Save himynamesdave/3272a33cb2caf4d27095f469d51fe8b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "rss": { | |
| "@attributes": { | |
| "version": "2.0" | |
| }, | |
| "channel": { | |
| "title": "0patch Blog", | |
| "link": "https://blog.0patch.com/", | |
| "description": "Security Patching Simplified To The Extreme", | |
| "item": [ | |
| { | |
| "title": "Micropatches For \"KrbRelay\" Local Privilege Escalation Vulnerability (Wontfix/0day)", | |
| "link": "https://blog.0patch.com/2022/08/micropatching-krbrelay-local-privilege.html", | |
| "guid": "https://blog.0patch.com/2022/08/micropatching-krbrelay-local-privilege.html", | |
| "description": "by Mitja Kolsek, the 0patch Team \"KrbRelay\" is a tool for forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows computer, potentially becoming a local or domain admin within minutes. The tool, based on James Forshaw's research, was developed by security researcher cube0x0, and was…", | |
| "content_encoded": "<div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPxMuKW6tWPQoPIa-J_PiXhr6r3jfpwsOQAA2-YDSqAKz-4uTmGWubHMJijILclMsRVLVvTacnfPnQmY_4D-tAV5M_1z4kZDL6GQOufw-prESU_d0xNuxAZ0dfENKY1FBFS6x8Q_8xIZS7MwixT-Ll0824D5BeXJ3R0AufVz_RayVWois5yOpTAKxYxw/s1024/Vuln_7416_NO-CVE_rbRelay_PatchCard_1024x512.png\"><img border=\"0\" data-original-height=\"512\" data-original-width=\"1024\" height=\"320\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPxMuKW6tWPQoPIa-J_PiXhr6r3jfpwsOQAA2-YDSqAKz-4uTmGWubHMJijILclMsRVLVvTacnfPnQmY_4D-tAV5M_1z4kZDL6GQOufw-prESU_d0xNuxAZ0dfENKY1FBFS6x8Q_8xIZS7MwixT-Ll0824D5BeXJ3R0AufVz_RayVWois5yOpTAKxYxw/w640-h320/Vuln_7416_NO-CVE_rbRelay_PatchCard_1024x512.png\" width=\"640\" alt=\"image\" /></a></div><br /> <p>by Mitja Kolsek, the 0patch Team </p><p><br /></p><p>\"<a href=\"https://github.com/cube0x0/KrbRelay\" target=\"_blank\">KrbRelay</a>\" is \na tool for forced authentication issue in Windows that can be used by a \nlow-privileged domain user to take over a Windows computer, potentially \nbecoming a local or domain admin within minutes. The tool, based on <a href=\"https://twitter.com/tiraniddo\" target=\"_blank\">James Forshaw</a>'s <a href=\"https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\" target=\"_blank\">research</a>, was developed by \nsecurity researcher <a href=\"https://twitter.com/cube0x0\" target=\"_blank\">cube0x0</a>, and was later wrapped by <a href=\"https://twitter.com/dec0ne\" target=\"_blank\">Mor Davidovich</a> into another tool called \"<a href=\"https://github.com/Dec0ne/KrbRelayUp\" target=\"_blank\">KrbRelayUp</a>\" that further automated attack steps for escalating privileges.<br /></p><p><i>KrbRelay</i> provides various options to launch different versions of attack; some of these options were already known under the name <i>RemotePotato0</i>, <a href=\"https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html\" target=\"_blank\">for which we already had patches before</a>. What was new for us with <i>KrbRelay</i> was its capability to launch a local service (running in session 0) via RPC and exploit it for leaking Local System credentials through forced authentication. In order to be exploitable, a service must allow authentication over the network, and just two such services were identified on affected Windows versions:</p><ol><li> <a href=\"https://docs.microsoft.com/en-us/windows/win32/win7appqual/remediating-activex-installation-for-standard-users#activex-installer-service-axis\" target=\"_blank\">ActiveX Installer Service</a>, identified by CLSID 90f18417-f0f1-484e-9d3c-59dceee5dbd8; and</li><li>RemoteAppLifetimeManager.exe, identified by CLSID 0bae55fc-479f-45c2-972e-e951be72c0c1.</li></ol><p><br /></p><p><span class=\"c-message_attachment__text\" data-qa=\"message_attachment_text\"><span dir=\"auto\">Microsoft </span></span>does\n not fix forced authentication issues unless an attack can be mounted \nanonymously. Our customers unfortunately can't all disable relevant \nservices or implement mitigations without breaking production, so it is \non us to provide them with such patches.</p><p><span class=\"c-message_attachment__text\" data-qa=\"message_attachment_text\"><span dir=\"auto\">For the purpose of identifying vulnerabilities we decided to name the vulnerability exposing the above services \"KrbRelay\", as other attack vectors </span></span>provided by the tool were already blocked by our existing patches for <i>RemotePotato0</i>. We decided to inject our patch logic at the point where a local unprivileged attacker launches the exploitable service, because such patch would be fairly simple - and we like it simple: it's harder to make mistakes.</p><p>Our patch, source code shown below, resides in <span>rpcss.dll</span> and checks whether someone is trying to launch one of the above services via RPC; in such case, if the requestor's token is elevated, we allow it, otherwise not. This is the same approach as we used with patching <i>RemotePotato0</i>.<br /></p><div><br />\n<div>\n<br /><span><span>MODULE_PATH \"..\\Affected_Modules\\rpcss.dll_10.0.17763.3113_Srv2019_64-bit_u202207\\rpcss.dll\"<br />PATCH_ID 992<br />PATCH_FORMAT_VER 2<br />VULN_ID 7416<br />PLATFORM win64<p>patchlet_start<br /> PATCHLET_ID 1<br /> PATCHLET_TYPE 2<br /> PATCHLET_OFFSET 0x6674<br /> N_ORIGINALBYTES 5<br /> JUMPOVERBYTES 0<br /> PIT Advapi32.dll!GetTokenInformation,ntdll!_strnicmp,rpcss.dll!0x68ccd<br /> ; memory representation: 17 84 f1 90 f1 f0 4e 48 9d 3c 59 dc ee e5 db d8<br /> ; clsid: 90f18417-f0f1-484e-9d3c-59dceee5dbd8</p><p> code_start <br /> call VAR <br /> dd 0x90f18417 ; CIeAxiInstallerService Class<br /> dw 0xf0f1, 0x484e<br /> db 0x9d, 0x3c, 0x59, 0xdc, 0xee, 0xe5, 0xdb, 0xd8<br /> VAR:<br /> pop rcx ; rcx => clsid in memory respresentation<br /> mov rdx, [rbx] ; ClientToken hadle<br /> mov r8, 16 ; length to compare<br /> call PIT__strnicmp ; Compares the specified number of characters <br /> ; of two strings without regard to case<br /> cmp rax, 0 ; rax == 0 string are equal<br /> jne CONTINUE ; if rax != 0 continue normal code flow</p><p> mov rdx, [rbx+8]<br /> mov rdx, [rdx]<br /> mov rcx, [rdx+40h] ; current session token, TokenHandle<br /> mov rdx, 14h ; TokenInformationClass, TokenElevation<br /> sub rsp, 30h ; home space + vars<br /> lea r8, [rsp+30h] ; TokenInformation<br /> mov qword[rsp+30h], 0 ; memset<br /> mov r9, 4 ; TokenInformationLength<br /> lea rax, [rsp+28h] ; ReturnLength address<br /> mov [rsp+20h], rax ; pointer to address<br /> call PIT_GetTokenInformation ; The GetTokenInformation function retrieves a <br /> ; specified type of information about an access token<br /> add rsp, 30h ; restore stack pointer<br /> cmp byte[rsp], 0 ; token elevated?<br /> je PIT_0x68ccd ; if elevated(1) continue normal code flow</p><p> CONTINUE:<br /> <br /> code_end<br />patchlet_end<br /></p></span></span><span><span></span></span><span> </span></div>\n</div> <h3>Micropatch Availability<br /></h3><p>While\n this vulnerability has no official vendor patch and could be considered a \n\"0day\", Microsoft seems determined not to fix relaying issues such as \nthis one; therefore, this micropatch is not provided in the FREE plan \nbut requires a PRO or Enterprise license.<br /></p><p>The micropatch was written for the following Versions of Windows with all available Windows Updates installed:<b> </b></p><ol><li><b>Windows 10 v21H2 </b><br /></li><li><b>Windows 10 v21H1</b><br /></li><li><b>Windows 10 v20H2</b><b> <br /></b></li><li><b>Windows 10 v2004</b></li><li><b>Windows 10 v1909</b></li><li><b>Windows 10 v1903</b></li><li><b>Windows 10 v1809</b></li><li><b>Windows 10 v1803</b></li><li><b>Windows 7 (no ESU, ESU year 1, ESU year 2)</b><br /></li><li><b>Windows Server 2008 R2 </b><b>(no ESU, ESU year 1, ESU year 2)</b></li><li><b><b>Windows Server 2012 </b></b></li><li><b>Windows Server 2012 R2</b></li><li><b><b>Windows Server 2016</b></b></li><li><b><b><b>Windows Server 2019</b> </b></b></li><li><b><b>Windows Server 2022 </b> </b></li></ol><b><b></b></b><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" id=\"tweet-text\" lang=\"en\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"> </span></div><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">This\n micropatch </span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">has already been distributed to, </span></span></span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">and applied on, </span></span>all \nonline 0patch Agents in PRO or Enterprise accounts</span> (unless </span></span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">Enterprise </span></span>group settings prevent that). </span></span><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">If you're new to 0patch</span>, create a free account \nin <a class=\"url-ext\" data-full-url=\"https://central.0patch.com\" href=\"https://central.0patch.com\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch Central</a>, then install and register 0patch Agent from <a class=\"url-ext\" data-full-url=\"https://0patch.com\" href=\"https://t.co/UMXoQqpLQh\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch.com</a>, and email <a href=\"mailto:sales@0patch.com\">sales@0patch.com</a> for a trial. Everything else will happen automatically. No computer reboot will be needed.</span></p><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"></span></p><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\">\n</div>\n\n<span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">To learn more about 0patch, please visit our <a href=\"https://0patch.zendesk.com/hc/en-us\" target=\"_blank\">Help Center</a>. </span></span><p>We'd like to thank <a href=\"https://twitter.com/tiraniddo\" target=\"_blank\">James Forshaw</a> and <a href=\"https://twitter.com/cube0x0\" target=\"_blank\">cube0x0</a> for sharing details about this vulnerability and sharing a tool, which allowed us to create a micropatch and protect our users. We also \nencourage security researchers to privately share their analyses with us\n for micropatching.</p>\n<div></div>\n", | |
| "pubDate": "Wed, 10 Aug 2022 15:42:00 +0000", | |
| "dc_creator": "Mitja Kolsek", | |
| "og_url": "https://blog.0patch.com/2022/08/micropatching-krbrelay-local-privilege.html", | |
| "og_title": "Micropatches For \"KrbRelay\" Local Privilege Escalation Vulnerability (Wontfix/0day)", | |
| "og_description": " by Mitja Kolsek, the 0patch Team \" KrbRelay \" is a tool for forced authentication issue in Windows that can be used by a low-privileged ...", | |
| "og_image": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPxMuKW6tWPQoPIa-J_PiXhr6r3jfpwsOQAA2-YDSqAKz-4uTmGWubHMJijILclMsRVLVvTacnfPnQmY_4D-tAV5M_1z4kZDL6GQOufw-prESU_d0xNuxAZ0dfENKY1FBFS6x8Q_8xIZS7MwixT-Ll0824D5BeXJ3R0AufVz_RayVWois5yOpTAKxYxw/w1200-h630-p-k-no-nu/Vuln_7416_NO-CVE_rbRelay_PatchCard_1024x512.png", | |
| "dc_language": "en", | |
| "dc_format": "text/html", | |
| "dc_identifier": "https://blog.0patch.com/2022/08/micropatching-krbrelay-local-privilege.html", | |
| "media_thumbnail": { | |
| "@attributes": { | |
| "url": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPxMuKW6tWPQoPIa-J_PiXhr6r3jfpwsOQAA2-YDSqAKz-4uTmGWubHMJijILclMsRVLVvTacnfPnQmY_4D-tAV5M_1z4kZDL6GQOufw-prESU_d0xNuxAZ0dfENKY1FBFS6x8Q_8xIZS7MwixT-Ll0824D5BeXJ3R0AufVz_RayVWois5yOpTAKxYxw/s72-w640-h320-c/Vuln_7416_NO-CVE_rbRelay_PatchCard_1024x512.png" | |
| } | |
| } | |
| }, | |
| { | |
| "title": "Changes in 0patch Pricing For New Subscriptions Coming in August", | |
| "link": "https://blog.0patch.com/2022/07/changes-in-0patch-pricing-for-new.html", | |
| "guid": "https://blog.0patch.com/2022/07/changes-in-0patch-pricing-for-new.html", | |
| "description": "Over the years, 0patch has evolved from a simple proof-of-concept into a production-grade security service protecting computers around the World. We've been adding features and improving reliability, we have developed tools and processes to speed up vulnerability analysis and patch development, and we still have many ideas and plans to implement.", | |
| "content_encoded": "<p>Over the years, 0patch has evolved from a simple proof-of-concept into a production-grade security service protecting computers around the World. We've been adding features and improving reliability, we have developed tools and processes to speed up vulnerability analysis and patch development, and we still have many ideas and plans to implement.<br /></p><p>What was initially met with various skeptical remarks has now become a standard for protecting Windows computers in our customers' organizations who use 0patch both for keeping their legacy systems secure from old and new exploits, and for blocking 0day attacks while others are still waiting for original vendor fixes. We're happy to see our customers expanding their 0patch deployments and spreading the word to their peers.</p><p>To reflect the increased value and support further innovation and growth of our team, we're announcing our first price increase since our launch in 2019. This change, having been advertised on our <a href=\"https://0patch.com/pricing.html\" target=\"_blank\">pricing page</a> for months, will go into effect on August 1, 2022, and will only apply to new subscriptions that get created on or after August 1, 2022; any existing subscriptions (including trials) will remain on the old pricing as long as they're renewed in time.</p><p><b>0patch PRO</b>: Price of a PRO license will be increased for 2 EUR/year to 24,95 EUR/year (increase of 0,20 EUR/month).</p><p><b>0patch Enterprise</b>: Price of an Enterprise license will be increased for 12 EUR/year to 34,95 EUR/year (increase of 1,20 EUR/month). We have until now offered Enterprise features for no extra charge but it's time to detach Enterprise pricing from PRO pricing to reflect the added value of Enterprise features.</p><p><br /></p><p>Our mission has always been to help our users neutralize critical vulnerabilities in a low-effort, low-risk and affordable way before attackers start exploiting them. We remain committed to this mission and attentive to users' feedback when prioritizing new features that will make their work easier and their environments more secure.<br /></p><p><br /></p><h3>Frequently Asked Questions<br /></h3><p><br /></p><p><b>Is our current subscription going to be affected by this change?</b><br /><i>No, existing subscriptions will remain on the old rates as long as they're renewed. Only newly created subscriptions will fall under the new price list.</i></p><p><b>Can we still change the number of licenses in our subscription while staying on the old rates?<br /></b><i>Yes, you can do that - just make sure to keep the \"Legacy\" plan selected when modifying the subscription instead of selecting \"PRO\" or \"Enterprise\" plan, which use the new rates. </i></p><p><b>As your existing partner - reseller or MSP - do we keep the old rates for existing customers' subscriptions?<br /></b><i>Absolutely, as long as their subscriptions get renewed in time. <br /></i></p><p><b>Can we just create a single-license subscription before August 1, and then increase license quantity later as needed to stay on the old prices?<br /></b><i>Yes you can, you clever rascal, but hurry up!</i><br /></p>\n<div></div>\n", | |
| "pubDate": "Wed, 27 Jul 2022 09:21:00 +0000", | |
| "dc_creator": "Mitja Kolsek", | |
| "og_url": "https://blog.0patch.com/2022/07/changes-in-0patch-pricing-for-new.html", | |
| "og_title": "Changes in 0patch Pricing For New Subscriptions Coming in August", | |
| "og_description": "Over the years, 0patch has evolved from a simple proof-of-concept into a production-grade security service protecting computers around the W...", | |
| "dc_language": "en", | |
| "dc_format": "text/html", | |
| "dc_identifier": "https://blog.0patch.com/2022/07/changes-in-0patch-pricing-for-new.html" | |
| }, | |
| { | |
| "title": "Micropatching the \"DFSCoerce\" Forced Authentication Issue (No CVE)", | |
| "link": "https://blog.0patch.com/2022/07/micropatching-dfscoerce-forced.html", | |
| "guid": "https://blog.0patch.com/2022/07/micropatching-dfscoerce-forced.html", | |
| "description": "by Mitja Kolsek, the 0patch Team \"DFSCoerce\" is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher Filip Dragovic, who also published a POC.", | |
| "content_encoded": "<div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuv5vT7VihWior3HvXHSyCzdn2NjilP-IW8i5ISQ9SktvKQl7aIPsXhjpMAOra9R4H6wC9DIh0mt8Mi-1xTeWMCfchn8qquwpm5Ov_OMv3yT0B5Mv6KwovMgaGnWvrElzIFmsM3f7nBZN-XSknMjpcz-yiwI8NOQ50Yk9hyYZwea5ZmWNXiBI2eEAu4w/s1024/Vuln_7419_NO-CVE_DFSCoerce_PatchCard_1024x512.png\"><img border=\"0\" data-original-height=\"512\" data-original-width=\"1024\" height=\"320\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuv5vT7VihWior3HvXHSyCzdn2NjilP-IW8i5ISQ9SktvKQl7aIPsXhjpMAOra9R4H6wC9DIh0mt8Mi-1xTeWMCfchn8qquwpm5Ov_OMv3yT0B5Mv6KwovMgaGnWvrElzIFmsM3f7nBZN-XSknMjpcz-yiwI8NOQ50Yk9hyYZwea5ZmWNXiBI2eEAu4w/w640-h320/Vuln_7419_NO-CVE_DFSCoerce_PatchCard_1024x512.png\" width=\"640\" alt=\"image\" /></a></div><br /><p>by Mitja Kolsek, the 0patch Team </p><p><br /></p><p>\"DFSCoerce\" is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher <a href=\"https://twitter.com/filip_dragovic\" target=\"_blank\">Filip Dragovic</a>, who also published a <a href=\"https://github.com/Wh04m1001/DFSCoerce\" target=\"_blank\">POC</a>.</p><p><a href=\"https://twitter.com/filip_dragovic/status/1538154721655103488\" target=\"_blank\">Filip's tweet</a> indicated this issue can be used even if you have disabled or filtered services that other currently known forced authentication issues such as <a href=\"https://blog.0patch.com/2022/06/micropatching-printerbugspoolsample.html\" target=\"_blank\">PrinterBug/SpoolSample</a>, <a href=\"https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html\" target=\"_blank\">PetitPotam</a>, <a href=\"https://twitter.com/mkolsek/status/1542134706224914432\" target=\"_blank\">ShadowCoerce</a> and <a href=\"https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html\" target=\"_blank\">RemotePotato0</a> are exploiting: \"<span class=\"c-message_attachment__text\" data-qa=\"message_attachment_text\"><span dir=\"auto\"><i>Spooler\n service disabled, RPC filters installed to prevent PetitPotam and File \nServer VSS Agent Service not installed but you still want to relay DC \nauthentication to ADCS? Don't worry MS-DFSNM have your back ;)</i>\"</span></span></p><p><span class=\"c-message_attachment__text\" data-qa=\"message_attachment_text\"><span dir=\"auto\">A quick reminder: Microsoft </span></span>does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can't all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches.</p><p><br /></p><h3>The Vulnerability</h3><p>The vulnerability lies in the <a href=\"https://en.wikipedia.org/wiki/Distributed_File_System_(Microsoft)\" target=\"_blank\">Distributed File System</a> (DFS) service. Any authenticated user can make a remote procedure call to this service and execute functions <a href=\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/b18ef17a-7a9c-4e22-b1bf-6a4d07e87b2d\" target=\"_blank\"><span>NetrDfsAddStdRoot</span></a> or <a href=\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/e9da023d-554a-49bc-837a-69f22d59fd18\" target=\"_blank\"><span>NetrDfsremoveStdRoot</span></a>, providing them with host name or IP address of attacker's computer. These functions both properly perform a permissions check using a call to <span>AccessImpersonateCheckRpcClient</span>, which returns error code 5 (\"access denied\") for users who aren't allowed to do any changes to DFS. If access is denied, they block the adding or removing of a stand-alone <a href=\"https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview\" target=\"_blank\">namespace</a> - but they both still perform a credentials-leaking request to the \nspecified host name or IP address.</p><p>Such leaked credentials - belonging to server's computer account - can be relayed to some other service in the network such as LDAP or Certificate Service to perform privileged operations leading to further unauthorized access. Unsurprisingly, attackers and red teams like such things.<br /></p><p><br /></p><h3>Our Micropatch</h3><p>Since a proper access check was already in place, just not reacted to entirely properly, we decided to use its result and correct the logic in both vulnerable functions.<br /></p><p>The image below shows our patch (green code blocks) injected in function <span>NetrDfsremoveStdRoot</span>. As you can see, a call to <span>AccessImpersonateCheckRpcClient</span> is made in the original code, which returns 5 (\"access denied\") when the caller has insufficient permissions. This information is then stored as one bit into register <span>r8b</span>, and copied to local variable <span>arg_18</span> (sounds like an argument, but compilers use so-called \"home space\" for local variables when it suits them). Our patch code takes the return value of <span>AccessImpersonateCheckRpcClient</span> and compares it to 5; if equal, we sabotage attacker's attempts by placing a zero at the beginning of their <span>ServerName</span> string pointed to by <span>rcx</span>, effectively turning it into an empty string. This approach allows us to minimize the amount of code and complexity of the patch, which is always our goal. Function <span>DfsDeleteStandaloneRoot</span>, which causes the forced authentication to attacker's host, is then called from the original code (moved to a blue trampoline code block) but it gets an empty string for the host name - and returns an error. A blocked attack therefore behaves as if a request was made by an unprivileged user with an illegal <span>ServerName</span>. We decided not to log this as an attempted exploit to avoid possible false positives in case a regular user without malicious intent might somehow trigger this code via Windows user interface. <br /></p><p><br /></p><div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTArPuRw6O86TJG-jDYrDPjIowEVwNBQKFAuW9yj1hTTFMdoLh5b9TkGGqr-jlBTtoBjjIcNyeH3qxHmnci2fJJBx5BDf74loCncT69u8JqXple8gTmlNdNHecQtv90dXBWzZvTRX0VwFmrHSnXRa66fo7ux4qOr2b7PUOAUl8HN7ynoQ3Q4cSaoizTw/s931/DFSCoerce_patch.png\"><img border=\"0\" data-original-height=\"931\" data-original-width=\"888\" height=\"640\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTArPuRw6O86TJG-jDYrDPjIowEVwNBQKFAuW9yj1hTTFMdoLh5b9TkGGqr-jlBTtoBjjIcNyeH3qxHmnci2fJJBx5BDf74loCncT69u8JqXple8gTmlNdNHecQtv90dXBWzZvTRX0VwFmrHSnXRa66fo7ux4qOr2b7PUOAUl8HN7ynoQ3Q4cSaoizTw/w610-h640/DFSCoerce_patch.png\" width=\"610\" alt=\"image\" /></a></div><br /><p>Source code of the micropatch shows two identical patchlets, one for function <span>NetrDfsAddStdRoot</span> and one for <span>NetrDfsremoveStdRoot</span>: </p><div><br />\n<div>\n<br /><span><span>MODULE_PATH \"..\\Affected_Modules\\dfssvc.exe_10.0.17763.2028_Srv2019_64-bit_u202206\\dfssvc.exe\"<br />PATCH_ID 952<br />PATCH_FORMAT_VER 2<br />VULN_ID 7442<br />PLATFORM win64<p>patchlet_start<br /> PATCHLET_ID 1 ; NetrDfsAddStdRoot<br /> PATCHLET_TYPE 2<br /> PATCHLET_OFFSET 0x183e<br /> N_ORIGINALBYTES 5<br /> JUMPOVERBYTES 0<br /> code_start <br /> neg eax ; get original return value from AccessImpersonateCheckRpcClient<br /> cmp eax, 5 ; check if access denied(5) was returned<br /> jne CONTINUE_1 ; return value is not 5, continue with<br /> ; normal code execution<br /> mov word[rcx], 0 ; else set ServerHost to NULL. Result: DFSNM<br /> ; SessionError: code: 0x57 - ERROR_INVALID_PARAMETER<br /> ; continue with original code<br /> CONTINUE_1:<br /> <br /> code_end<br />patchlet_end</p><p>patchlet_start<br /> PATCHLET_ID 2 ; NetrDfsremoveStdRoot<br /> PATCHLET_TYPE 2<br /> PATCHLET_OFFSET 0x1c96<br /> N_ORIGINALBYTES 5<br /> JUMPOVERBYTES 0<br /> code_start <br /> neg eax </p></span></span><span><span><span><span><span><span>; get original return value from AccessImpersonateCheckRpcClient<br /></span></span></span></span> cmp eax, 5 </span></span><span><span><span><span>; check if access denied(5) was returned<br /></span></span> jne CONTINUE_2 </span></span><span><span><span><span>; return value is not 5, continue with<br /></span></span></span></span><span><span><span><span> ; normal code execution<br /></span></span> mov word[rcx], 0 </span></span><span><span><span><span>; else set ServerHost to NULL. Result: DFSNM<br /></span></span></span></span><span><span><span><span> ; SessionError: code: 0x57 - <br /></span></span></span></span><span><span><span><span>ERROR_INVALID_PARAMETER<br /></span></span></span></span><span><span><span><span> ; continue with original code<br /></span></span> CONTINUE_2:<br /> <br /> code_end<br />patchlet_end</span></span><span> </span></div>\n</div> <p><br /></p><h3>Micropatch Availability<br /></h3><p>While\n this vulnerability has no official patch and could be considered a \n\"0day\", Microsoft seems determined not to fix relaying issues such as \nthis one; therefore, this micropatch is not provided in the FREE plan \nbut requires a PRO or Enterprise license.<br /></p><p>The micropatch was written for the following Versions of Windows with all available Windows Updates installed:<b> </b></p><ol><li><b>Windows Server 2008 R2</b></li><li><b><b>Windows Server 2012 </b></b></li><li><b>Windows Server 2012 R2</b></li><li><b><b>Windows Server 2016</b></b></li><li><b><b><b>Windows Server 2019</b> </b></b></li><li><b><b>Windows Server 2022 </b> </b></li></ol><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"> </span></div><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">Note that only servers are affected as the DSS Service does not exist on workstations. <br /></span></div><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">This\n micropatch </span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">has already been distributed to, </span></span></span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">and applied on, </span></span>all \nonline 0patch Agents in PRO or Enterprise accounts</span> (unless </span></span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">Enterprise </span></span>group settings prevent that). </span></span></p><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">If you're new to 0patch</span>, create a free account \nin <a class=\"url-ext\" data-full-url=\"https://central.0patch.com\" href=\"https://central.0patch.com\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch Central</a>, then install and register 0patch Agent from <a class=\"url-ext\" data-full-url=\"https://0patch.com\" href=\"https://t.co/UMXoQqpLQh\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch.com</a>, and email <a href=\"mailto:sales@0patch.com\">sales@0patch.com</a> for a trial. Everything else will happen automatically. No computer reboot will be needed.</span></p><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"></span></p><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\">\n</div>\n\n<span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">To learn more about 0patch, please visit our <a href=\"https://0patch.zendesk.com/hc/en-us\" target=\"_blank\">Help Center</a>. </span></span><p>We'd like to thank <a href=\"https://twitter.com/filip_dragovic\" target=\"_blank\">Filip Dragovic</a> for sharing details about this vulnerability, which allowed us to create a micropatch and protect our users. We also \nencourage security researchers to privately share their analyses with us\n for micropatching.</p>\n<div></div>\n", | |
| "pubDate": "Fri, 01 Jul 2022 09:49:00 +0000", | |
| "dc_creator": "Mitja Kolsek", | |
| "og_url": "https://blog.0patch.com/2022/07/micropatching-dfscoerce-forced.html", | |
| "og_title": "Micropatching the \"DFSCoerce\" Forced Authentication Issue (No CVE)", | |
| "og_description": " by Mitja Kolsek, the 0patch Team \"DFSCoerce\" is another forced authentication issue in Windows that can be used by a low-privileged domain...", | |
| "og_image": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuv5vT7VihWior3HvXHSyCzdn2NjilP-IW8i5ISQ9SktvKQl7aIPsXhjpMAOra9R4H6wC9DIh0mt8Mi-1xTeWMCfchn8qquwpm5Ov_OMv3yT0B5Mv6KwovMgaGnWvrElzIFmsM3f7nBZN-XSknMjpcz-yiwI8NOQ50Yk9hyYZwea5ZmWNXiBI2eEAu4w/w1200-h630-p-k-no-nu/Vuln_7419_NO-CVE_DFSCoerce_PatchCard_1024x512.png", | |
| "dc_language": "en", | |
| "dc_format": "text/html", | |
| "dc_identifier": "https://blog.0patch.com/2022/07/micropatching-dfscoerce-forced.html", | |
| "media_thumbnail": { | |
| "@attributes": { | |
| "url": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuv5vT7VihWior3HvXHSyCzdn2NjilP-IW8i5ISQ9SktvKQl7aIPsXhjpMAOra9R4H6wC9DIh0mt8Mi-1xTeWMCfchn8qquwpm5Ov_OMv3yT0B5Mv6KwovMgaGnWvrElzIFmsM3f7nBZN-XSknMjpcz-yiwI8NOQ50Yk9hyYZwea5ZmWNXiBI2eEAu4w/s72-w640-h320-c/Vuln_7419_NO-CVE_DFSCoerce_PatchCard_1024x512.png" | |
| } | |
| } | |
| }, | |
| { | |
| "title": "Micropatching the \"PrinterBug/SpoolSample\" - Another Forced Authentication Issue in Windows", | |
| "link": "https://blog.0patch.com/2022/06/micropatching-printerbugspoolsample.html", | |
| "guid": "https://blog.0patch.com/2022/06/micropatching-printerbugspoolsample.html", | |
| "description": "by Mitja Kolsek, the 0patch Team Forced authentication issues (including NTLM relaying and Kerberos relaying) are a silent elephant in the room in Windows networks, where an attacker inside the network can force a chosen computer in the same network to perform authentication over the network such that the attacker can intercept its request.…", | |
| "content_encoded": "<div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaG4Tsz0iBDAv5rMBHhp-QFqwcFxKeXDrIAs_qia_YQU1yBM4vqgj853U7p7g9LezupvNvDF7Gl4g-B2z8Ars9OsdvYyruXNbzCcuQNDc4E-U2KrfuZEpYirw4AOfSNIVv8_KLFBnhRm9jcfP32pY2gRmPLKIinNM3u5KaCfP93ABRQN2v43cQjc2qA/s1024/Vuln_7419_NO-CVE_PrinterBug_SpoolSample_PatchCard_1024x512.png\"><img border=\"0\" data-original-height=\"512\" data-original-width=\"1024\" height=\"320\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaG4Tsz0iBDAv5rMBHhp-QFqwcFxKeXDrIAs_qia_YQU1yBM4vqgj853U7p7g9LezupvNvDF7Gl4g-B2z8Ars9OsdvYyruXNbzCcuQNDc4E-U2KrfuZEpYirw4AOfSNIVv8_KLFBnhRm9jcfP32pY2gRmPLKIinNM3u5KaCfP93ABRQN2v43cQjc2qA/w640-h320/Vuln_7419_NO-CVE_PrinterBug_SpoolSample_PatchCard_1024x512.png\" width=\"640\" alt=\"image\" /></a></div><p>by Mitja Kolsek, the 0patch Team </p><p><br /></p><p>Forced authentication issues (including NTLM relaying and Kerberos relaying) are a silent elephant in the room in Windows networks, where an attacker inside the network can force a chosen computer in the same network to perform authentication over the network such that the attacker can intercept its request. In the process, the attacker obtains some user's or computer account's credentials and can then use these to perform actions with the \"borrowed\" identity.</p><p>In case of <a href=\"https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html\" target=\"_blank\">PetitPotam</a>, for instance, the attacker forces a Windows server to authenticate to a computer of their choice using the computer account - which can lead to arbitrary code execution on the server. With <a href=\"https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html\" target=\"_blank\">RemotePotato0</a>, an attacker already logged in to a Windows computer (e.g., a Terminal Server) can force the computer to reveal credentials of any other user also logged in to the same computer.</p><p>For a great primer on relaying attacks in Windows, check out the article <a href=\"https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/\" target=\"_blank\">\"I’m bringing relaying back: A comprehensive guide on relaying anno 2022\"</a> by Jean-François Maes of <a href=\"https://www.trustedsec.com\" target=\"_blank\">TrustedSec</a>. <a href=\"https://twitter.com/_dirkjan\" target=\"_blank\">Dirk-jan Mollema</a> of <a href=\"https://outsidersecurity.nl/\" target=\"_blank\">Outsider Security</a> also wrote several excellent pieces: \"<a href=\"https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/\" target=\"_blank\">The worst of both worlds: Combining NTLM Relaying and Kerberos delegation</a>\", \"<a href=\"https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/\" target=\"_blank\">Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin</a>\" and \"<a href=\"https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/\" target=\"_blank\">NTLM relaying to AD CS - On certificates, printers and a little hippo</a>.\"<br /></p><p>Alas, Microsoft's position seems to be not to fix forced authentication issues unless an attack can be mounted anonymously; <a href=\"https://twitter.com/wdormann/status/1526324681887862784?s=20&t=zPYpDmXqNJAPaDsdh0SSKQ\" target=\"_blank\">their fix for PetitPotam confirms that</a> - they only addressed the anonymous attack vector. In other words:</p><p><i><b>If any domain user in a typical enterprise network should decide to become domain administrator, no official patch will be made available to prevent them from doing so</b>.</i></p><p>Microsoft does suggest (<a href=\"https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429\" target=\"_blank\">here</a>, <a href=\"https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/\" target=\"_blank\">here</a>) various countermeasures to mitigate such attacks, including disabling NTLM, enabling EPA for Certificate Authority, or requesting LDAP signing and channel binding. These mitigations, however, are often a no-go for large organizations as they would break existing processes. It therefore isn't surprising that many of our large customers ask us for micropatches to address these issues in their networks.</p><p>Consequently, at 0patch we've decided to address all known forced authentication issues in Windows exploitable by either anonymous or low-privileged attackers.<br /></p><p><br /></p><h3>The Vulnerability</h3><p>The vulnerability we micropatched this time has two names - <i>PrinterBug</i> and <i>SpoolSample</i> - but no CVE ID as it is considered a \"won't fix\" by the vendor. Its first public reference is this 2018 Derbycon presentation \"<a href=\"https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory\" target=\"_blank\">The Unintended Risks of Trusting Active Directory</a>\" by <br /><a href=\"https://twitter.com/harmj0y\" target=\"_blank\">Will Schroeder</a>, <a href=\"https://twitter.com/tifkin_\" target=\"_blank\">Lee Christensen</a>, and <a href=\"https://twitter.com/enigma0x3\" target=\"_blank\">Matt Nelson</a> of <a href=\"https://specterops.io/\" target=\"_blank\">SpecterOps</a>, where authors describe how the <a href=\"https://msdn.microsoft.com/en-us/library/cc244528.aspx\" target=\"_blank\">MS-RPRN</a> RPC interface can be used to force a remote computer to initiate authentication to attacker's computer.</p><p>Will Schroeder's subsequent paper \"<a href=\"https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d\" target=\"_blank\">Not A Security Boundary: Breaking Forest Trusts</a>\" explains how this bug can be used for breaking the forest trust relationships; with March 2019 Windows Updates, Microsoft provided a related fix for <a href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0683\" target=\"_blank\">CVE-2019-0683</a>, addressing only the forest trust issue.</p><p>Today, four-plus years later, the PrinterBug/SpoolSample still works on all Windows systems for forcing a Windows computer running Print Spooler service to authenticate to attacker's computer, provided the attacker knows any domain user's credentials. As such, it is comparable to <a href=\"https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html\" target=\"_blank\">PetitPotam</a>, which also still works for a low-privileged attacker (Microsoft only fixed the anonymous attack), and the recently disclosed <a href=\"https://github.com/Wh04m1001/DFSCoerce\" target=\"_blank\">DFSCoerce</a> issue - which we're also <a href=\"https://twitter.com/0patch/status/1540329468002291713\" target=\"_blank\">preparing a micropatch</a> for.</p><p>The vulnerability can be triggered by making a remote procedure call to a Windows computer (e.g., domain controller) running Print Spooler Service, specifically calling function <span><a href=\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d\" target=\"_blank\">RpcRemoteFindFirstPrinterChangeNotification(Ex)</a></span> and providing the address of attacker's computer in the <span>pszLocalMachine</span> argument. Upon receiving such request, Print Spooler Service establishes an RPC channel back to attacker's computer - authenticating as the local computer account! This is enough for the attacker to relay received credentials to a certificate service in the network and obtain a privileged certificate.</p><p>When <span>RpcRemoteFindFirstPrinterChangeNotification(Ex)</span> is called, it impersonates the client via the <span>YImpersonateClient</span> function - which is good. The execution then continues towards the vulnerability by calling <span>RemoteFindFirstPrinterChangeNotification</span>. This function then calls <span>SetupReplyNotification</span>, which in turn calls <span>OpenReplyRemote</span>: this function <i>reverts the impersonation</i> (!) before calling <span>RpcReplyOpenPrinter</span>, where an RPC request to the attacker-specified host is made using the computer account.</p><p>We're not sure why developers decided to revert impersonation of the caller before making that RPC call, but suspect it was to ensure the call would have sufficient permissions to succeed regardless of the caller's identity. In any case, this allow the attacker to effectively exchange low-privileged credentials for high-privileged ones.</p><p><br /></p><h3>Our Micropatch</h3><p>When patching an NTLM relaying issue, we have a number of options, for instance:</p><ul><li>using client impersonation, so the attacker only receives their own credentials instead of server's,</li><li>adding an access check to see if the calling user has sufficient permissions for the call at all, or<br /></li><li>outright cutting off the vulnerable functionality, when it seems hard to fix or unlikely to be used.</li></ul><p>This particular bug fell into the latter category, as we could not find a single product actually using the affected functionality, and Windows are also not using it in their printer-related products. If it turns out our assessment was incorrect, we can easily revoke this patch and replace it with one that performs impersonation.</p><p>Our micropatch is very simple: it simulates an \"access denied\" (error code 5) response from the <span>RpcReplyOpenPrinter</span> function without letting it make the \"leaking\" RPC call. This also blocks the same attack that might be launched via other functions that call <span>RpcReplyOpenPrinter</span>.</p><p>Source code of the micropatch has just two CPU instructions: <br /></p><div><br />\n<div>\n<br /><span><span>MODULE_PATH \"..\\Affected_Modules\\spoolsv.exe_10.0.17763.2803_Srv2019_64-bit_u202205\\spoolsv.exe\"<br />PATCH_ID 908<br />PATCH_FORMAT_VER 2<br />VULN_ID 7419<br />PLATFORM win64<p>patchlet_start<br /> PATCHLET_ID 1<br /> PATCHLET_TYPE 2<br /> PATCHLET_OFFSET 0x576cc<br /> N_ORIGINALBYTES 5<br /> JUMPOVERBYTES 0<br /> PIT spoolsv.exe!0x577df<br /> ; 0x577df -> return block</p><p> code_start </p><p> mov ebx, 5<br /> jmp PIT_0x577df</p><p> code_end</p><p>patchlet_end</p></span></span><span> </span></div>\n</div> <p><br /></p><h3>Micropatch Availability<br /></h3><p>While this vulnerability has no official patch and could be considered a \"0day\", Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.<br /></p><p>The micropatch was written for the following Versions of Windows with all available Windows Updates installed:<b> </b></p><ol><li><b>Windows 11 v21H2<br /></b></li><li><b>Windows 10 v21H2 </b><br /></li><li><b>Windows 10 v21H1</b><br /></li><li><b>Windows 10 v20H2</b><b> <br /></b></li><li><b>Windows 10 v2004</b></li><li><b>Windows 10 v1909</b></li><li><b>Windows 10 v1903</b></li><li><b>Windows 10 v1809</b></li><li><b>Windows 10 v1803</b></li><li><b>Windows 7 (no ESU, ESU year 1, ESU year 2)</b><br /></li><li><b>Windows Server 2008 R2 </b><b>(no ESU, ESU year 1, ESU year 2)</b></li><li><b><b>Windows Server 2012 </b></b></li><li><b>Windows Server 2012 R2</b></li><li><b><b>Windows Server 2016</b></b></li><li><b><b><b>Windows Server 2019</b> </b></b></li><li><b><b>Windows Server 2022 </b> </b></li></ol><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"> </span></div><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">This\n micropatch </span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">has already been distributed to, </span></span></span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">and is being applied to, </span></span>all \nonline 0patch Agents in PRO or Enterprise accounts</span> (unless </span></span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">Enterprise </span></span>group settings prevent that). </span></span></p><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">If you're new to 0patch</span>, create a free account \nin <a class=\"url-ext\" data-full-url=\"https://central.0patch.com\" href=\"https://central.0patch.com\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch Central</a>, then install and register 0patch Agent from <a class=\"url-ext\" data-full-url=\"https://0patch.com\" href=\"https://t.co/UMXoQqpLQh\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch.com</a>, and email <a href=\"mailto:sales@0patch.com\">sales@0patch.com</a> for a trial. Everything else will happen automatically. No computer reboot will be needed.</span></p><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"></span></p><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\">\n</div>\n\n<span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">To learn more about 0patch, please visit our <a href=\"https://0patch.zendesk.com/hc/en-us\" target=\"_blank\">Help Center</a>. </span></span><p>We'd like to thank <a href=\"https://twitter.com/harmj0y\" target=\"_blank\">Will Schroeder</a>, <a href=\"https://twitter.com/tifkin_\" target=\"_blank\">Lee Christensen</a>, and <a href=\"https://twitter.com/enigma0x3\" target=\"_blank\">Matt Nelson</a> of <a href=\"https://specterops.io/\" target=\"_blank\">SpecterOps</a> for sharing details about this vulnerability, and <a href=\"https://twitter.com/_dirkjan\" target=\"_blank\">Dirk-jan Mollema</a> of <a href=\"https://outsidersecurity.nl/\" target=\"_blank\">Outsider Security</a> for excellent articles on relaying attacks and exploiting PrinterBug/SpoolSample in particular. We also \nencourage security researchers to privately share their analyses with us\n for micropatching.</p><p><br /></p><p><br /></p>\n<div></div>\n", | |
| "pubDate": "Mon, 27 Jun 2022 15:11:00 +0000", | |
| "dc_creator": "Mitja Kolsek", | |
| "og_url": "https://blog.0patch.com/2022/06/micropatching-printerbugspoolsample.html", | |
| "og_title": "Micropatching the \"PrinterBug/SpoolSample\" - Another Forced Authentication Issue in Windows", | |
| "og_description": " by Mitja Kolsek, the 0patch Team Forced authentication issues (including NTLM relaying and Kerberos relaying) are a silent elephant in the...", | |
| "og_image": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaG4Tsz0iBDAv5rMBHhp-QFqwcFxKeXDrIAs_qia_YQU1yBM4vqgj853U7p7g9LezupvNvDF7Gl4g-B2z8Ars9OsdvYyruXNbzCcuQNDc4E-U2KrfuZEpYirw4AOfSNIVv8_KLFBnhRm9jcfP32pY2gRmPLKIinNM3u5KaCfP93ABRQN2v43cQjc2qA/w1200-h630-p-k-no-nu/Vuln_7419_NO-CVE_PrinterBug_SpoolSample_PatchCard_1024x512.png", | |
| "dc_language": "en", | |
| "dc_format": "text/html", | |
| "dc_identifier": "https://blog.0patch.com/2022/06/micropatching-printerbugspoolsample.html", | |
| "media_thumbnail": { | |
| "@attributes": { | |
| "url": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaG4Tsz0iBDAv5rMBHhp-QFqwcFxKeXDrIAs_qia_YQU1yBM4vqgj853U7p7g9LezupvNvDF7Gl4g-B2z8Ars9OsdvYyruXNbzCcuQNDc4E-U2KrfuZEpYirw4AOfSNIVv8_KLFBnhRm9jcfP32pY2gRmPLKIinNM3u5KaCfP93ABRQN2v43cQjc2qA/s72-w640-h320-c/Vuln_7419_NO-CVE_PrinterBug_SpoolSample_PatchCard_1024x512.png" | |
| } | |
| } | |
| }, | |
| { | |
| "title": "Microsoft Diagnostic Tool \"DogWalk\" Package Path Traversal Gets Free Micropatches (CVE-2022-34713)", | |
| "link": "https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html", | |
| "guid": "https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html", | |
| "description": "by Mitja Kolsek, the 0patch Team Update 8/10/2022: August 2022 Windows Updates brought an official fix for this vulnerability with assigned CVE-2022-34713. Our users were therefore protected from this issue whole 63 days before an official fix got available, and remain protected until they install August Windows Updates. These micropatches from now on require…", | |
| "content_encoded": "<div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu4H1l7SsjQCyh8s3YbMko9Dau8ZLY2V1fE-Hm1-UCRZIMLpnIz63LgsHplHFllUckoS9s4wP_30cTkHH5d-J2-7UmbVL-_V8mAgfZ7sGFxZYVIkjiVLgOQxQd7_x_7swxhiSXObs8u6H0mKpPL38Ajuv-1fL7xjSnpfCp7f9fiTnHsTbjkyrHOfYqlQ/s1024/Vuln_7418_NO-CVE_DogWalk_PatchCard_1024x512.png\"><img border=\"0\" data-original-height=\"512\" data-original-width=\"1024\" height=\"320\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu4H1l7SsjQCyh8s3YbMko9Dau8ZLY2V1fE-Hm1-UCRZIMLpnIz63LgsHplHFllUckoS9s4wP_30cTkHH5d-J2-7UmbVL-_V8mAgfZ7sGFxZYVIkjiVLgOQxQd7_x_7swxhiSXObs8u6H0mKpPL38Ajuv-1fL7xjSnpfCp7f9fiTnHsTbjkyrHOfYqlQ/w640-h320/Vuln_7418_NO-CVE_DogWalk_PatchCard_1024x512.png\" width=\"640\" alt=\"image\" /></a></div><br /><p>by Mitja Kolsek, the 0patch Team</p><p><i>Update 8/10/2022: August 2022 Windows Updates brought an official fix for this vulnerability with assigned <a href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713\" target=\"_blank\">CVE-2022-34713</a>. <b>Our users were therefore protected from this issue whole 63 days before an official fix got available</b>, and remain protected until they install August Windows Updates. These micropatches from now on require a PRO or Enterprise license.<br /></i></p><p><i> </i> <br /></p><p>With the <a href=\"https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html\" target=\"_blank\">\"Follina\" / CVE-2022-30190 0day</a> still hot, i.e., still waiting for an official fix while apparently <a href=\"https://twitter.com/threatinsight/status/1532830739208732673\" target=\"_blank\">already getting exploited by nation-backed attackers</a>, another related unfixed vulnerability in Microsoft's Diagnostic Tool (MSDT) bubbled to the surface.</p><p>In January 2020, security researcher <a href=\"https://twitter.com/ImreRad\" target=\"_blank\">Imre Rad</a> published an article titled \"<a href=\"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\" target=\"_blank\">The trouble with Microsoft’s Troubleshooters</a>,\" describing a method for having a malicious executable file being saved to user's <span>Startup</span> folder, where it would subsequently get executed upon user's next login. What the user has to do for this to happen is open a \"<span>diagcab</span>\" file, an archive in the <a href=\"https://en.wikipedia.org/wiki/Cabinet_(file_format)\" target=\"_blank\">Cabinet (CAB) file format</a> that contains a diagnostics configuration file.</p><p>According to Imre's article, this issue was reported to Microsoft but their position was that it was not a security issue worth fixing. This was their response:<br /></p><p><i>\"There\n are a number of file types that can execute code in such a way but \naren’t technically “executables”. And a number of these are considered \nunsafe for users to download/receive in email, even .diagcab is blocked \nby default in Outlook on the web and other places. This is noted a \nnumber of places online by Microsoft.</i></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\" id=\"66f3\"><i>The\n issue is that to make use of this attack an attacker needs to create \nwhat amounts to a virus, convince a user to download the virus, and then\n run it. Yes, it doesn’t end in .exe, but these days most viruses don’t.\n Some protections are already put into place, such as standard files \nextensions to be blocked, of which this is one. We are also always \nseeking to improve these protections. But as written this wouldn’t be \nconsidered a vulnerability. No security boundaries are being bypassed, \nthe PoC doesn’t escalate permissions in any way, or do anything the user\n couldn’t do already.\"</i></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">The above does not sound unreasonable. The victim is supposed to open a file provided by the attacker, and then something bad happens. It's true (as it was back in 2020 when this was written) that most viruses aren't delivered to victims as <span>.exe</span> files or other typical executables, and that files with <span>.diagcab</span> extension would be marked as dangerous by Outlook. However, Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a web site, and it only takes a single click (or mis-click) in the browser's downloads list to have it opened. No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing attacker's code. From attacker's perspective, therefore, this is a nicely exploitable \nvulnerability with all Windows versions affected back to Windows 7 and \nServer 2008.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">In any case, the issue was found, reported, deemed unworthy, and largely forgotten. Until security researcher <a href=\"https://twitter.com/j00sean\" target=\"_blank\">j00sean</a> found it again and <a href=\"https://twitter.com/mkolsek/status/1532704505577541637\" target=\"_blank\">brought attention to it last week</a>, as Microsoft Diagnostic Tool was under the spotlight because of Follina.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">We decided this issue is exploitable enough to warrant a micropatch, and with the cat out of the bag (having presumably stayed in the bag since 2020) the likelihood of its exploitation is now higher.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">Oh, and where did the <i>DogWalk</i> name come from? <a href=\"https://twitter.com/mkolsek/status/1534102193854418944\" target=\"_blank\">I asked Kevin Beaumont</a> to name this vulnerability before publishing the blog post, and Kevin agreed with <a href=\"https://twitter.com/kilijanek\" target=\"_blank\">Kili</a>'s suggestion. The whole story is in the Twitter thread.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"> <br /></p><h3 class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">The Vulnerability</h3><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">The vulnerability lies in the Microsoft Diagnostic Tool's <span>sdiageng.dll</span> library, which takes the attacker-supplied folder path from the package configuration XML file inside the <span>diagcab</span> archive, and copies all files from that folder to a local temporary folder. During this process, it enumerates files in attacker's folder, gets the file name for each of them, then glues together the local temporary path and that file name to generate the local path on the computer where the file is to be created. For instance, if attacker's folder were <span>C:\\temp\\</span> and it contained a single file <span>test.txt</span>, the affected code would find that file, determine its name to be \"<span>test.txt</span>\", concatenate the previously created temporary folder name with this file name to get something like \"<span>C:\\Users\\John\\AppData\\Local\\Temp\\SDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca\\test.txt</span>\" and finally create such file with the content of the original <span>C:\\temp\\test.txt</span> file.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">Now, the source folder can be on a remote share, not only a local folder such as <span>C:\\temp</span>. Furthermore, it can reside on a <a href=\"https://en.wikipedia.org/wiki/WebDAV\" target=\"_blank\">WebDAV</a> share on the Internet because by default, Windows workstations happily use WebDAV to access network shares, and WebDAV goes through most firewalls as it is just basically outbound HTTP. But none of these is the vulnerability yet.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\">The vulnerability is in the fact that the code assumes the filename to be a valid Windows filename. You know, not containing those characters you see Windows complaining about when you try to rename a file to something with \":\" or \"|\".</p><div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjejx8cmYt3EDVZ5kv-8mJF4c22DTu8Z_ZzoXFJI3zCAySnKCsAmsNTov0slJnBTbcoHB17hbVl4IstCqTqqDFlLneZOMYzOnodltUhE4oOaOk4Wxn5zTCQQle7wTOPKwrKEBm9TLGnNHJjtMcWFGwSg_QlMFofIvm10uUf0Q1jRj21lQ12anKsbxBCJg/s389/Invalid_filename.png\"><img border=\"0\" data-original-height=\"113\" data-original-width=\"389\" height=\"93\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjejx8cmYt3EDVZ5kv-8mJF4c22DTu8Z_ZzoXFJI3zCAySnKCsAmsNTov0slJnBTbcoHB17hbVl4IstCqTqqDFlLneZOMYzOnodltUhE4oOaOk4Wxn5zTCQQle7wTOPKwrKEBm9TLGnNHJjtMcWFGwSg_QlMFofIvm10uUf0Q1jRj21lQ12anKsbxBCJg/s320/Invalid_filename.png\" width=\"320\" alt=\"image\" /></a></div><p> Or, more specifically, that a file name can't be something like \"<span>\\..\\..\\..\\..\\..\\..\\..\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\malicious.exe</span>\".<br /></p><p>Wait, <i>can</i> a file name actually look like that? Not if you try to create it with Windows Explorer or \"regular tools\", but there is nothing to prevent a WebDAV server from saying, \"Here's the file, its name is whatever I want it to be, deal with it.\" Should Windows accept suchmalformed file names? Probably not - but they do, and they pass them on to applications using their APIs. Which is the case with the vulnerability at hand; let's see what happens:</p><p><br /></p><ol><li>The <span>diagcab</span> archive contains package configuration XML file pointing to a folder on a remote WebDAV server.</li><li>This folder hosts a file named \"<span>\\..\\..\\..\\..\\..\\..\\..\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\malicious.exe</span>\".</li><li>Vulnerable MSDT creates a local temporary folder such as \"<span>C:\\Users\\John\\AppData\\Local\\Temp\\SDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca</span>\".</li><li>It then appends the remote file name to this folder name and gets: \"<span>C:\\Users\\John\\AppData\\Local\\Temp\\SDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca</span><span>\\..\\..\\..\\..\\..\\..\\..\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\malicious.exe</span>\".</li><li>Which in fact means \"<span>C:\\</span><span>AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\malicious.exe</span>\".</li><li>It finally copies the content of the remote weirdly-named file to <span>malicious.exe</span> in computer's <span>Startup</span> folder, where it will be executed the next time anyone logs in. <br /></li></ol><p>Okay, but who would download and open a silly <span>diagcab</span> file? Well, the download can happen automatically in a drive-by-download fashion, as demonstrated by Imre's POC (click <a href=\"https://webdav-test.herokuapp.com/config/i-repair-everything-on-your-computer.diagcab\" target=\"_blank\">this link</a> and see the file downloaded to your browser). Then you see it listed in browser's Downloads list and if you click on it - intentionally or not - it's game over.</p><p>How about <a href=\"https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/\" target=\"_blank\">Mark of the Web</a>? Aren't all downloaded files and files received via email marked with this flag that tells Windows to warn the user if they want to open it?</p><p>They are indeed, and the downloaded <span>diagcab</span> file is marked as well. But it is up to the application processing the file to check this mark and warn the user. Many applications do that; MSDT, unfortunately, does not.<br /></p><h3>Our Micropatch <br /></h3><p>Clearly, this is a <a href=\"https://owasp.org/www-community/attacks/Path_Traversal\" target=\"_blank\">path traversal vulnerability</a>, and these vulnerabilities are all addressed in the same way: by searching for occurrences of \"<span>..\\</span>\" in attacker-supplied file name or path and blocking the operation in case any are found. This is exactly what we did here. Our patch adds code that searches the source file name for \"<span>..\\</span>\"; if found, it reports an \"Exploit blocked\" event and emulates an error on the file copy operation as shown on the video below.</p><p><br /></p><p><br /></p><p>Source code of the micropatch: <br /></p><div><br />\n<div>\n<br /><span><span>MODULE_PATH \"..\\Affected_Modules\\sdiageng.dll_10.0.18362.1_Win10-1909_64-bit_u202205\\sdiageng.dll\"<br />PATCH_ID 893<br />PATCH_FORMAT_VER 2<br />VULN_ID 7418<br />PLATFORM win64<p>patchlet_start</p><p> PATCHLET_ID 1<br /> PATCHLET_TYPE 2<br /> PATCHLET_OFFSET 0x20e86<br /> N_ORIGINALBYTES 5<br /> JUMPOVERBYTES 0<br /> PIT msvcrt!wcsstr,sdiageng!0x20f30<br /> code_start </p><p> call VAR ; push \"..\\\" to stack and use it as a variable<br /> dw __utf16__('..\\'),0</p><p> VAR:<br /> pop rdx ; get VAR from stack - substring<br /> lea rcx, [rsp+5Ch] ; mov data pointer to rcx - path<br /> sub rsp, 20h ; shadow space<br /> call PIT_wcsstr ; search substring(\"..\\\") in a string(path)<br /> add rsp, 20h<br /> cmp rax, 0 ; check wcsstr return. 0 if the string does<br /> ; not contain the substring<br /> ; else returns a pointer to the first<br /> ; occurrence of substring in string<br /> <br /> je CONTINUE<br /> call PIT_ExploitBlocked ; exploit blocked popup<br /> jmp PIT_0x20f30 ; jmp to existing error block</p><p> CONTINUE: ; normal code flow<br /> <br /> code_end</p><p>patchlet_end</p></span></span><span> </span></div>\n</div><p> <br /></p><p>This is how our patch (green code blocks) is integrated in the original vulnerable code (white and blue code blocks) to add the missing security check:</p><p><br /></p><div class=\"separator\"><a href=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjePqAWBlA-jkpl9n22glzMbGMGDNnyly-8WpocA0hOpqWl2WsWxBQxh1zkBkVpxAyZ4NgDiwyTfIZGP1ROcl6i1VjFQEdTGEgfw3nRwFrKUfZlNZJI5BgXty7BApTlgleInF31GCTIRVQOo2MRNEJ9dtEJBN5oCNgzzTBKcxzlMujiAspaYDH9d9ygAw/s946/DogWalk_patch.png\"><img border=\"0\" data-original-height=\"946\" data-original-width=\"613\" height=\"640\" src=\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjePqAWBlA-jkpl9n22glzMbGMGDNnyly-8WpocA0hOpqWl2WsWxBQxh1zkBkVpxAyZ4NgDiwyTfIZGP1ROcl6i1VjFQEdTGEgfw3nRwFrKUfZlNZJI5BgXty7BApTlgleInF31GCTIRVQOo2MRNEJ9dtEJBN5oCNgzzTBKcxzlMujiAspaYDH9d9ygAw/w414-h640/DogWalk_patch.png\" width=\"414\" alt=\"image\" /></a></div><p><br /></p><h3>Micropatch Availability<br /></h3><p>Since\n this is a \"0day\" vulnerability with no official vendor fix available, \nwe are providing our micropatches for free until such fix becomes \navailable.<br /></p><p>Micropatches were written for:<b> </b></p><ol><li><b>Windows 11 v21H2<br /></b></li><li><b>Windows 10 v21H2 </b><br /></li><li><b>Windows 10 v21H1</b><br /></li><li><b>Windows 10 v20H2</b><b> <br /></b></li><li><b>Windows 10 v2004</b></li><li><b>Windows 10 v1909</b></li><li><b>Windows 10 v1903</b></li><li><b>Windows 10 v1809</b></li><li><b>Windows 10 v1803</b></li><li><b>Windows 7</b><br /></li><li><b>Windows Server 2008 R2</b></li><li><b><b>Windows Server 2012 </b></b></li><li><b>Windows Server 2012 R2</b></li><li><b><b>Windows Server 2016</b></b></li><li><b><b><b>Windows Server 2019</b> </b></b></li><li><b><b>Windows Server 2022 </b> </b></li></ol><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"> </span></div><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">These\n micropatches </span><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">have already been distributed to all \nonline 0patch Agents</span>. If you're new to 0patch</span>, create a free account \nin <a class=\"url-ext\" data-full-url=\"https://central.0patch.com\" href=\"https://central.0patch.com\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch Central</a>, then install and register 0patch Agent from <a class=\"url-ext\" data-full-url=\"https://0patch.com\" href=\"https://t.co/UMXoQqpLQh\" rel=\"url noopener noreferrer\" target=\"_blank\">0patch.com</a>. Everything else will happen automatically. No computer reboot will be needed.</span></p><p><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">We don't know whether this vulnerability has ever been exploited in the wild, or whether it will ever be. But as former attackers, we know it's the kind of issue one could realistically use, and our micropatches make sure that 0patch users don't have to care either way.<br /></span></p><div class=\"css-901oao r-hkyrab r-1qd0xha r-a023e6 r-16dba41 r-ad9z0x r-bcqeeo r-bnwqim r-qvutc0\" dir=\"auto\" lang=\"en\">\n</div>\n\n<span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\"><span class=\"css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0\">To learn more about 0patch, please visit our <a href=\"https://0patch.zendesk.com/hc/en-us\" target=\"_blank\">Help Center</a>. </span></span><p>We'd like to thank <a href=\"https://twitter.com/ImreRad\" target=\"_blank\">Imre Rad</a> for\n publishing vulnerability details and a POC, which allowed us to reproduce the \nvulnerability and \ncreate a micropatch, <a href=\"https://twitter.com/j00sean\" target=\"_blank\">j00sean</a> for digging this thing up and shedding light on it, and all other security researchers who have shared \ntheir findings with public or privately with us. We also \nencourage security researchers to privately share their analyses with us\n for micropatching.</p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"><br /></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"><br /></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"><br /></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"><br /></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"><br /></p><p class=\"kd ke lb kf b kg ln ki kj kk lo km kn nc lp kq kr nd lq ku kv ne lr ky kz la ib gj\" data-selectable-paragraph=\"\"><br /></p>\n<div></div>\n", | |
| "pubDate": "Tue, 07 Jun 2022 13:39:00 +0000", | |
| "dc_creator": "Mitja Kolsek", | |
| "og_url": "https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html", | |
| "og_title": "Microsoft Diagnostic Tool \"DogWalk\" Package Path Traversal Gets Free Micropatches (CVE-2022-34713)", | |
| "og_description": "by Mitja Kolsek, the 0patch Team Update 8/10/2022: August 2022 Windows Updates brought an official fix for this vulnerability with assigne...", | |
| "og_image": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu4H1l7SsjQCyh8s3YbMko9Dau8ZLY2V1fE-Hm1-UCRZIMLpnIz63LgsHplHFllUckoS9s4wP_30cTkHH5d-J2-7UmbVL-_V8mAgfZ7sGFxZYVIkjiVLgOQxQd7_x_7swxhiSXObs8u6H0mKpPL38Ajuv-1fL7xjSnpfCp7f9fiTnHsTbjkyrHOfYqlQ/w1200-h630-p-k-no-nu/Vuln_7418_NO-CVE_DogWalk_PatchCard_1024x512.png", | |
| "dc_language": "en", | |
| "dc_format": "text/html", | |
| "dc_identifier": "https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html", | |
| "media_thumbnail": { | |
| "@attributes": { | |
| "url": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu4H1l7SsjQCyh8s3YbMko9Dau8ZLY2V1fE-Hm1-UCRZIMLpnIz63LgsHplHFllUckoS9s4wP_30cTkHH5d-J2-7UmbVL-_V8mAgfZ7sGFxZYVIkjiVLgOQxQd7_x_7swxhiSXObs8u6H0mKpPL38Ajuv-1fL7xjSnpfCp7f9fiTnHsTbjkyrHOfYqlQ/s72-w640-h320-c/Vuln_7418_NO-CVE_DogWalk_PatchCard_1024x512.png" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment