CVE-2022-32230 SMBv3 has a null pointer dereference in Windows versions prior to the April 2022 patch set.

CVE-2022-32230 SMBv3 has a null pointer dereference in Windows versions prior to the April 2022 patch set.

For most systems, this attack requires authentication. This presents a problem for researchers. You can’t get authenticated access to a system with a BSOD. However, if you have a named pipe open on a system with a BSOD, the system will reboot. As an attacker, the best you can hope for is to be proxying a vulnerable server when that server has a BSOD. Unfortunately, it’s not a simple matter of opening a named pipe on every vulnerable server. The server must be on a trusted network range, and it must be accessible from the untrusted network where the researcher is located. If this sounds like your situation, you’re probably thinking about how to conduct research on Windows Domain Controllers. As a researcher, you don’t need to worry about the Domain Controller being down or having a BSOD. Instead, you’re interested in how to leverage this vulnerability to conduct research on Windows Domain Controllers. The easiest way to access Windows Domain Controllers is to open a named pipe on an internal network. You can also do this from an untrusted network if you have a virtual private network (VPN) or a trusted public network (e.g., the Internet).

Step 1: Set Up a Trusted Network

If you have a private network, you can set up a trusted network range. For this exercise, we’ll use 192.168.0.0/24 as the IP range for our trusted network and we'll use 192.168.1.0/24 as the IP range for our untrusted network, which is where the researcher will be located.

How to Perform Research on Windows Domain Controllers

You can open a named pipe on an internal network, or you can open one from a VPN or trusted public network. In order to access the Windows Domain Controllers on that network, you will need to create a global name object (GNO) and specify the target system as the source of the GNO. When creating the GNO, you should specify the IP address of your local computer as the target system.
Now that you have a GNO, you will be able to use it like any other named pipe in your program:
int main() { HANDLE hNamedPipe = CreateNamedPipe("\\\\.\\pipe\\mynamedpipe"); // This is a valid path on your internal network // You can also specify an IP address of your local computer if you're using a VPN or trusted public network // As long as it's specified correctly, this operation will work int sockfd = GetNamedPipeHandle(hNamedPipe); // This is how you'll connect to the vulnerable machine with a BSOD }
Finally, when performing research on Windows Domain Controllers, remember that your goal is to share what you find with IT security professionals so they can take action before malicious actors exploit these vulnerabilities. Remember that while this vulnerability may not be exploitable by itself, it could be combined with other attack vectors in order to provide more advanced attackers with easier access.

How to Reconnaissance a Windows Domain Controller

The easiest way to access Windows Domain Controllers is to open a named pipe on an internal network. You can also do this from an untrusted network if you have a virtual private network (VPN) or a trusted public network (e.g., the Internet). A named pipe is used to communicate between processes running on the same computer. To start, type net use \\

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe