More On ConnectWise ScreenConnect Vulnerability
Table of Contents
ConnectWise ScreenConnect Vulnerability Update
The vulnerability in ConnectWise ScreenConnect is now being actively exploited in the wild, with various proof-of-concept (PoC) exploits shared on GitHub. These exploits demonstrate how attackers can leverage the identified security flaws to gain unauthorized access to vulnerable systems, particularly through authentication bypass and path traversal vulnerabilities.
ConnectWise released a security update that addressed two critical security vulnerabilities in its ScreenConnect remote desktop and access software. These vulnerabilities pose significant risks, including the ability to execute remote code execution and unauthorized data access.
Authentication Bypass (CVE-2024-1709)
This vulnerability enables attackers to bypass authentication mechanisms, potentially allowing them to gain unauthorized access to confidential data or execute arbitrary code on vulnerable servers. Its critical severity stems from the potential for exploitation and its impact on affected systems.
Path Traversal (CVE-2024-1708)
The Path Traversal vulnerability involves improper limitation of a pathname to a restricted directory, known as "path traversal." Attackers with elevated privileges can exploit this flaw to access files and directories beyond the intended directory structure, risking unauthorized disclosure of sensitive information or further system compromise.
Check out our previous blog post on the ConnectWise ScreenConnect Vulnerability Report for more information on this type of attack.
Attack-In-Depth
Accessing the Setup Wizard
Upon successful exploitation, the attacker gains access to the Setup Wizard functionality within ConnectWise ScreenConnect. This allows them to input new credentials, potentially granting them unauthorized access to the system.
Exploiting Extension ZipSlip Vulnerability
Due to a ZipSlip vulnerability in how ScreenConnect opens zip files containing extensions, an attacker can hide C# executable code within the zip that will be run by the server itself. Since the ScreenConnect server is normally run with 'NT Authority\SYSTEM', this would give any attacker the highest level of privileges on any system that this exploit can work on.
Accessibility
Proofs of concept for the exploit are already available in the wild. There is even a Metasploit module being developed that only requires the URL to the ScreenConnect server to run. With Metasploit being one of the easiest ways for new hackers to break into systems, this means that a large scope of people can potentially exploit this system.
Impact and Risks
This exploit comes with critical impact and risk. At best, the low-complexity attack can provide an attacker with an admin user on ScreenConnect. At worst, it can give them complete control over the server.
POC
The ThreatLocker Ops team has replicated this attack.
Disclaimer: This module is not yet officially posted to Metasploit it is still pending deployment on github.
Demonstration Timestamps:
0:00:05 – Lunching Metasploit (msfconsole)
0:00:20 – Selecting Module
0:00:22 – Enumerating Options to set up exploit
0:00:35 – Finished Configurating payload options
0:00:37 – Running a Vulnerability Check
0:00:56 - Executing Payload
0:01:08 – Running “whoami” command to show proof-of-concept
00:01:23 - ThreatLocker Ops Alert Triggered
How ThreatLocker Keeps You Safe
ThreatLocker Ops
We have leveraged the power of Threatlocker Ops to automatically alert our customers if there are any signs of compromise in their environments. If you are using ThreatLocker Ops, you can add the Policy titled “TL.AAL.005 - ScreenConnect Authentication Bypass“ from the Community Page.
Allowlisting
Allowlisting ensures that only approved binaries can run on the system, enforcing a zero trust approach. This measure automatically prevents unauthorized execution of malicious code, enhancing environment security.
