Vulnerability Disclosure -Kiosk Bypass @ Surelock MDM

Status: Possibly Fixed (as on Dec 2023)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 ( High Severity)

CVE-2023–2331, CVE-2023–2335

42Gear’s Security Advisory Link1 & Link2

Impacted Component: SureLock MDM v2.40.0 (Windows Desktop App)

Assumption: Enterprise wants to block unwanted application/scripts execution in the system and has implemented SureLock kiosk solution to allow only their desired application and nothing else.

Configuration: Windows agent based Kiosk mode configured to allow only launching of a predefined app).

Vulnerability Description: While SureLock is configured, to allow only the whitelisted application/executables/binaries. But it is possible to get unwanted applications to be launched just by renaming those applications to the whitelisted applications or even exploiting unquoted service path vulnerability.

Impact: Complete unrestricted access of the system would be available, allowing execution of any application/script which was initially blocked by design.

Exploitability Rational: Attacker who is able to access Kiosk application would be able to exploit without any additional privilege (Due to lack of least privilege principle, the attacker can plant malicious binaries or rename privileged files easily). If remote registry service is running, it might allow remotely to view saved plaintext credentials in registry.

(Verified on Win10 Enterprise, Applicable to all Win versions)

Steps to Reproduce:

Issue1: Bypassing hardening via Unquoted Service path vulnerability.

1. Invoke Windows file explorer/file picker dialog via features like file upload/open etc. from any whitelisted application. e.g. via ctrl+O from the browser.
2. Plant your malicious file (or powershell_ise/cmd.exe) as c:\program.exe
3. Restart machine and automatically with attempt to start NixService.exe, our malicious exe would execute because of an unquoted service path vulnerability.

Impacted Service

Issue2: Plaintext Password in Registry

1. Click Start, and then click Run. (Assuming above technique is used in conjunction)
2. In the Open box, type Regedit.exe, and then press Enter.
3. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey in the registry.
4. Check DefaultUserName & DefaultPassword entry

Plaintext WinAutologon creds. in registry

Issue3: Improper Whitelisting Implementation

1. Identify applications which are configured to be allowed by the Kiosk solution and note their respective binary executable file name.
2. Rename malicious executable with same filename and keep it anywhere in any drive/folder and try launching it normally. Because of just name comparison, our renamed malicious payload containing file would be executed.

Take Away:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

As suggested by Microsoft it is not recommended to have credentials logged in plaintext https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon.

Adapt signature + hash + file path based whitelisting approach instead of just filename.

Vulnerabilities undergone CVD in coordination with Powerboy, our peer team & 42Gears team.