Document Title: =============== Microsoft Windows 2012 R2 x64 - (MMC) DoS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2235 MSRC ID: 58288 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2020/04/29/microsoft-windows-2012-r2-x64-mmc-local-dos-vulnerability Release Date: ============= 2020-04-28 Vulnerability Laboratory ID (VL-ID): ==================================== 2235 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Denial of Service Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Microsoft Windows Server 2012, working title Microsoft Windows Server 8, is an operating system of the Windows series from the software manufacturer Microsoft and the successor product of Windows Server 2008 R2. It is the server version of Windows 8 and was released on September 4, 2012, the further development Windows Server 2012 R2 in October 2013. The support of Windows Server 2012 R2 and thus the delivery of security updates ends on October 10, 2023. (Copy of the Homepage: https://de.wikipedia.org/wiki/Microsoft_Windows_Server_2012) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local denial of service vulnerability in the official Microsoft Windows 2012 R2 operating system. Vulnerability Disclosure Timeline: ================================== 2020-04-26: Researcher Notification & Coordination (Security Researcher) 2020-04-27: Vendor Notification (Security Department) 2020-04-29: Vendor Response/Feedback (Security Department) 2020-04-29: Vendor Fix/Patch (Won't Fix - OS Support) 2020-04-29: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A local denial of service security vulnerability has been discovered in the official Microsoft Windows 2012 R2 (x64) operating system. The denial of service vulnerability allows remote attackers to crash or freeze the application, a process or its inbound components. The windows 2012 r2 has a basic firewall were it is possible to setup specific rule set. Defining a block policy for ips (above 200) can result in a corruption of the windows mmc.exe (Microsoft Management Console). The result is that the actual snapshot of the session corrupts due to the error with a corruption, which results in a simple but stable application crash. The issue occurs in the kernelbase dynamic link library because of the counted ip items in the list that returns with a null pointer. The problemtic comes up through the Incoming rules - New Rule (Add) function. The issue can be exploited by local low privileged system user accounts without user interaction. The issue only affects only the x64 architecture operating systems with windows 2012 r2. Local attackers are able to crash the mmc.exe which results in several local misfunctioning security measures. Triggering the issue results two times in an application hang and in the third attempt in a final uncaught exception that crashs the full process. Due to the crash the windows firewall popup with the advanced security settings to protect but clicking ok still corrupts the process, then to recover the snapshot. Successful exploitation of the local vulnerability results in mmc.exe process crashs, snapshot corruptions or missing security function. Request Method(s): [+] Local Vulnerable Module(s): [+] Firewall - Incoming rules Vulnerable Function(s): [+] New Rule (Add) - (Local IP / Remote IP) DLL(s): [+] Kernelbase Proof of Concept (PoC): ======================= The local denial of service iva pointer corruption can be exploited by local attackers with local low privileged user account and without user interaction. For security demonstration or to reproduce the local denial of service software vulnerability follow the provided information and steps below. Manual steps to reproduce the vulnerability ... 1. Open the local firewall 2. Setup a new rule 3. Setup to deny all 4. Include some ips above the mentioned limit (200) 5. Save and reply internal by creating afterward a local snapshot (automated) 6. An apphangs occurs 2 times to the process and finally on third time crashs with uncaught null pointer exception Note: At that point several messages in windows popup to recover the snapshot which results in another error 7. Press ok and the mmc.exe process crashs permanently 8. Successful reproduce of the local vulnerability! --- Application Error Logs --- EventType=AppHangTransient EventTime=132277138943110905 ReportType=3 Consent=1 ReportIdentifier=a43305c3-5d4e-11ea-813c-0025904667c6 IntegratorReportIdentifier=a43305c4-5d4e-11ea-813c-0025904667c6 NsAppName=mmc.exe Response.type=4 Sig[0].Name=Problemsignatur 01 Sig[0].Value=mmc.exe Sig[1].Name=Problemsignatur 02 Sig[1].Value=6.3.9600.18910 Sig[2].Name=Problemsignatur 03 Sig[2].Value=5a57a503 Sig[3].Name=Problemsignatur 04 Sig[3].Value=unknown Sig[4].Name=Problemsignatur 05 Sig[4].Value=unknown Sig[5].Name=Problemsignatur 06 Sig[5].Value=unknown Sig[6].Name=Problemsignatur 07 Sig[6].Value=unknown DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.3.9600.2.0.0.272.7 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusätzliche Absturzsignatur 1 DynamicSig[22].Value=a170a78f269a790e02a336f2ab0610cd DynamicSig[23].Name=Zusätzliche Absturzsignatur 2 DynamicSig[23].Value=0e01 DynamicSig[24].Name=Zusätzliche Absturzsignatur 3 DynamicSig[24].Value=0e01d9273132497b58cc3792f8af657a DynamicSig[25].Name=Zusätzliche Absturzsignatur 4 DynamicSig[25].Value=4eb3 DynamicSig[26].Name=Zusätzliche Absturzsignatur 5 DynamicSig[26].Value=4eb3372730c134255f47918244aa9d46 DynamicSig[27].Name=Zusätzliche Absturzsignatur 6 DynamicSig[27].Value=a3b5 DynamicSig[28].Name=Zusätzliche Absturzsignatur 7 DynamicSig[28].Value=a3b5abeb685bc26ab46653aa60185a6e ... 3 time EventType=APPCRASH EventTime=132277153626144152 ReportType=2 Consent=1 ReportIdentifier=0f6ea181-5d52-11ea-813c-0025904667c6 IntegratorReportIdentifier=0f6ea180-5d52-11ea-813c-0025904667c6 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=mmc.exe Sig[1].Name=Anwendungsversion Sig[1].Value=6.3.9600.18910 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=5a57a503 Sig[3].Name=Fehlermodulname Sig[3].Value=KERNELBASE.dll Sig[4].Name=Fehlermodulversion Sig[4].Value=6.3.9600.19425 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=5d26b6e9 Sig[6].Name=Ausnahmecode Sig[6].Value=00000000 Sig[7].Name=Ausnahmeoffset Sig[7].Value=000000000000908c Screenshots: https://ibb.co/CbThqJs https://ibb.co/qNcPLhm Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™