This month, Microsoft announced two vulnerabilities in portmap, which is part of ONC RPC, on Windows systems. This blog will discuss Zeek detection packages for CVE-2022-24491 and CVE-2022-24497 developed by Corelight Labs.
Background: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491
Microsoft provided Corelight Labs with a partial proof of concept exploit for CVE-2022-24491, but it was missing functionality that prevented it from fully working. However, we were able to modify the proof of concept to send most of the exploit’s payload to our victim machine across a network to make a PCAP of the failed attempt.
Upon examination of the PCAP in Wireshark, we see portmap traffic executing a series of “set” and “dump” calls:
We verified this logic through the proof of concept exploit’s source code as well.
A “set” usually occurs when a program registers itself with portmap, but in the case of this exploit, some specially crafted byte sequences were sent to the victim machine in the “set” call. Next, the exploit dumps all the information from portmap using “dump”, which if this proof of concept exploit was complete the output would include the specially crafted exploit strings that were just set. This dump action would exploit the CVE-2022-24491 vulnerability with those strings.
To detect exploit attempts, we would need to watch the network for portmap “set” calls followed by “dump”. There are two ways we can go about this. The first is to write a protocol analyzer for ONC RPC and portmap. Corelight Labs has developed an ONC RPC protocol analyzer that is still being tested. Using it, you can see the sets and dumps in portmap.log from this PCAP:
Since this RPC analyzer is not yet finalized, we will use a different technique to detect the sets and dumps using logic available in Zeek today.
Instead, we created signatures to detect portmap sets and dumps that will call either the “match_set” or “match_dump” function in our Zeek script. If Zeek observes a dump after a set, it will generate a Notice of type “POTENTIAL_CVE_2022_24491”. This does NOT mean an exploit was successful, it only notifies you if the activity matches the same condition that is required to exploit CVE-2022-24491. This is an example notice created by the PCAP we generated:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-04-13-20-55-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1649715078.678609 C4J4Th3PJpwUYZZ6gc 192.168.88.146 63839 192.168.88.157 111 - - - udp CVE202224491::POTENTIAL_CVE_2022_24491 Possible CVE-2022-24491 exploit attempt. An RPC portmap set with a RPC portmap dump was observed. - 192.168.88.146 192.168.88.157 111 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-04-13-20-55-55
This detector can be installed from: https://github.com/corelight/CVE-2022-24491
Background: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497
Microsoft also provided Corelight Labs with a proof-of-concept exploit for CVE-2022-24497 and we were able to capture a PCAP of it exploiting a Windows Server 2019 machine. Upon examination of the PCAP in Wireshark, we see portmap traffic executing a series of “getport” and “dump” calls within a TCP connection:
A “getport” occurs when a client requests an RPC program’s port through portmap. Next, the exploit dumps all the information from portmap using “dump”, which triggers the exploit. During the exploit attempt, the exploit provided malformed GSS verifiers in RPC. Exercising the victim machine in this way successfully makes the victim machine immediately show the Blue Screen of Death (BSoD).
To detect exploit attempts, we need to watch the network for portmap “getport” calls followed by “dump”. We created signatures to detect a portmap getport and portmap dump calls that will execute the function “match_portmap” in our Zeek script. If Zeek observes this sequence of actions, it generates a Notice of type “POTENTIAL_CVE_2022_24497”. This does NOT mean that the exploit was successful, it only notifies you if the activity matches the conditions required to exploit CVE-2022-24497. Here is an example notice created by the PCAP we generated:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-04-13-21-45-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1649885952.829925 CHhAvVGS1DHFjwGM9 192.168.88.146 685 192.168.88.157 111 - - - tcp CVE202224497::POTENTIAL_CVE_2022_24497 Possible CVE-2022-24497 exploit attempt. An RPC portmap getport and portmap dump were observed. - 192.168.88.146 192.168.88.157 111 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-04-13-21-45-25
This detector can be installed from: https://github.com/corelight/CVE-2022-24497.