CVE-2024-9950

Info

  • Vulnerability: Creation of Temporary Script in Directory with Insecure Permissions
  • Severity: Medium to High
  • Vector: Local Windows OS machine
  • Attack Complexity: Low
  • Privileges Required: Low
  • Categories: Local Privilege Escalation

Application

Affected Component: Windows agent - SecureConnector from Forescout eyeSight and eyeControl

Affected Version: Forescout SecureConnector <= 11.3.07

Description:

  1. A local privilege escalation (PE) vulnerability exists in the Forescout eyeSight and eyeControl agent - SecureConnector on Windows platforms that enables an authenticated local Windows user to rename the programs or script which will be executed by SecureConnector service with SYSTEM privileges.
  2. By using the fstmpcsc_$($env:USERNAME) folder inside the normal user appdata\local\temp folder, it is able to rename the batch, vbs ,exe file and replace by our controlled script to perform privilege escalation to nt authority\system from a normal user account in Windows.
  3. Sometime it will triggered the compliance check by itself to create those programs and scripts and often we are able to right click the agent icon on Deskbands from taskbar to trigger this vulnerability.
  4. Normal user should have "$($env:UserProfile)\AppData\Local\Temp\fstmpsc_$($env:USERNAME)" folder full control.
  5. Normal user privilege should be read & execute only to the files in fstmpsc folder which SecureConnector service created.
  6. Because of the full control of the folder, we still can rename files and replace them by copying a new file like user controlled scripts.
    In Windows, the low-privilege user can exploit this vulnerability enabling them to elevate their privilege to nt authority/system and perform any action as well as control the whole victim machine.

PoC

Step 0: Copy the CVE-2024-9950-PoC.ps1 to whatever folder

Step 1: Copy the chain_1.bat to $($env:UserProfile)\AppData\Local\Temp\fstmpsc_$($env:USERNAME) folder

Step 2: Copy the chain_1.ps1 to C:\Users\Public\

Step 3: Run CVE-2024-9950-PoC.ps1 to monitor the fstmpcsc folder under the normal user appdata folder

Step 4: The script will check all file creation inside this folder

Step 5: If SecureConnector service (as nt authority/system) created a bat or vbs or exe file, rename the file to another name as a backup. (demo is using bat)

Step 6: At the same time we copy our file as the SecureConnector service created file name

Step 7: If successful, the file will be created by nt authority/system with whoami.exe outputted as nt authority/system

Root Cause

Temporary Script in Directory fstmpsc_$($env:USERNAME) with Insecure Permissions.

Remediation

  1. Upgrade to Forescout SecureConnector > 11.3.07

PoC Scripts

https://github.com/0Nightsedge0/CVE-2024-9950-PoC

More Abuse

From my friend @Hagrid29: ForeScout-SecureConnector-EoP

Epilogue

I was LATE to REPORT it 1 Month Only!!!!!!
只差一點點即可以…=(