Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation

EDB-ID:

50517

CVE:

N/A




Platform:

Windows

Date:

2021-11-12


# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
# Date: 11/11/2021
# Exploit Author: it
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
# Version: Version 6.1 Compilation 7601 Service Pack 1
# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version

Description
Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade

Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache

Vulnerability Type: Privilege Escalation

Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1

Language OS: English

The Vulnerability

Clément wrote a very useful permissions-checking tool for Windows that
find various misconfigurations in Windows that could allow a local
attacker to elevate their privileges. On a typical Windows 7 and
Server 2008 R2 machine, the tool found that all local users have write
permissions on two registry keys:

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper

These didn't immediately seem exploitable, but Clément did the legwork
and found the Windows Performance Monitoring mechanism can be made to
read from these keys - and eventually load the DLL provided by the
local attacker. To most everyone's surprise, not as the local user,
but as Local System.

In short, a local non-admin user on the computer just creates a
Performance subkey in one of the above keys, populates it with some
values, and triggers performance monitoring, which leads to a Local
System WmiPrvSE.exe process loading attacker's DLL and executing code
from it.

About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
I detected that in another version of windows it is also vulnerable,
Windows Multipoint 2011, which can affect customers who use extended
license;

I can't say if there are any other vulnerable unpublished versions
besides the ones I've posted here

How to Produce Exploitation

Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
Release x64 and Compile.

Is necessary install microsoft visual c++ redistributable on Windows
MultiPoint 2011 for execute exploit

The exploit Add Subkeys in

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance

Library = Name of your performance DLL

Open = Name of your Open function in your DLL

Collect = Name of your Collect function in your DLL

Close = Name of your Close function in your DLL

and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI

Tools and Exploit:
https://github.com/itm4n/PrivescCheck

Exploit:
https://github.com/itm4n/Perfusion