CVE-2019-1322
published 2019-10-10CVE-2019-1322: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege…
PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
19.20%
97.0th percentile
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit execution chain: a process running as NT AUTHORITY\LOCAL SERVICE spawning a child process that subsequently runs as NT AUTHORITY\SYSTEM via the Update Orchestrator Service (CVE-2019-1322 stage). ↗
- →Detect exploit execution chain: UPnP Device Host Service (svchost hosting upnphost) spawning unexpected child processes or loading attacker-controlled COM objects (CVE-2019-1405 stage leading into CVE-2019-1322). ↗
- →Alert on execution of binaries named COMahawk.exe or CVE-2019-1322-EXE.exe dropped to the %TEMP% directory, as the Metasploit module and standalone PoC both stage payloads there. ↗
- →Flag Windows 10 builds 17134–18362 (1803–1903) as the confirmed vulnerable range; prioritize detection and patching on these builds. ↗
- →Monitor for cmd.exe launched with a command line matching the pattern: cmd.exe /c <exploit_binary>.exe <payload_binary>.exe, particularly when the parent process is running under a low-privilege service account. ↗
- →The exploit is 64-bit only; restrict detection scope to x64 Windows 10 systems in the affected build range. ↗
- ·The Metasploit module requires an existing Meterpreter session (SessionTypes: meterpreter) and targets only Windows x64; it will fail against x86 systems. ↗
- ·The exploit requires the target directory (default %TEMP%) to be writable; if it does not exist or is non-writable the module aborts. ↗
- ·Commands executed via the exploit run GUI-less (no window) because execution originates from a service context; interactive/GUI payloads will not render. ↗
- ·The standalone PoC (COMahawk.exe) leaves the payload binary on disk and requires manual cleanup; the Metasploit module also warns that the payload is not automatically removed. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2019-1322 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1322
Remediation Due Date: 2022-04-05
Microsoft
Microsoft Windows Elevation of Privilege Vulnerability
vendor_msrc·2019-10-08·CVSS 7.0
CVE-2019-1322 [HIGH] Microsoft Windows Elevation of Privilege Vulnerability
Microsoft Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
An attacker could exploit this vulnerability by running a specially crafted application on the victim system.
The update addresses the vulnerability by correcting the way Windows handles authentication requests.
Microsoft Windows: Microsoft Windows
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: https://catalog.updat
Red Hat
jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)
vendor_redhat·2019-05-21·CVSS 4.3
CVE-2019-10320 [MEDIUM] CWE-522 jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)
jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Package: jenkins-plugin-credentials (Red Hat OpenShift Container Platform 3.10) - Will not fix
Package: jenkins-plugin-credentials (Red Hat OpenShift Container Platform 3.6) - Will not fix
Package: jenkins-plugin-credentials (Red Hat OpenShift Container Platform 3.7) - Will not fix
Package: jenkins-plugin-credentials (Red Hat OpenShift Container Platform 3.9) - Will not fix
GHSA
GHSA-r6r9-m794-3hcj: An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1340 [HIGH] GHSA-r6r9-m794-3hcj: An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations
An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1320, CVE-2019-1322.
GHSA
GHSA-44h5-7p9r-q2m9: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1322 [HIGH] GHSA-44h5-7p9r-q2m9: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.
GHSA
GHSA-8m7x-67r8-gpmw: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1320 [HIGH] GHSA-8m7x-67r8-gpmw: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1322, CVE-2019-1340.
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1322 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.group-ib.com/media/silence_ta505_attacks_in_europe/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://www.securin.io/articles/all-about-conti-ransomware/; https://asec.ahnlab.com/en/38156/; https://go.group-ib.com/hubfs/rep
No detection rules found.
Exploit-DB
Microsoft UPnP - Local Privilege Elevation (Metasploit)
exploitdb·2019-12-30·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft UPnP - Local Privilege Elevation (Metasploit)
Microsoft UPnP - Local Privilege Elevation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/exploit/exe'
class MetasploitModule 'Microsoft UPnP Local Privilege Elevation Vulnerability',
'Description' => %q(
This exploit uses two vulnerabilities to execute a command as an elevated user.
The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
NT AUTHORITY\LOCAL SERVICE
The second (CVE-2019-1322) leverages the Update Orchestrator Service to
elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
),
'Licens
Exploit-DB
Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
exploitdb·2019-11-14·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
---
## EDB Note
Download:
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip
# COMahawk
**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**
## Video Demo
https://vimeo.com/373051209
## Usage
### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)
1. Run COMahawk.exe
2. ???
3. Hopefully profit
or
1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
2. ???
3. Hopefully profit
## Concerns
**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe i
Metasploit
Microsoft UPnP Local Privilege Elevation Vulnerability
metasploit·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft UPnP Local Privilege Elevation Vulnerability
Microsoft UPnP Local Privilege Elevation Vulnerability
This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-10-08·CVSS 6.4
[MEDIUM] Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.
### Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of which we will highlight below.
CVE-2019-1333 is a client-side remote execution vulne
Talos
Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-10-08·CVSS 6.4
[MEDIUM] Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here .
## Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of
Bugzilla
CVE-2019-10320 jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)
bugzilla·2019-05-27·CVSS 4.3
CVE-2019-10320 [MEDIUM] CVE-2019-10320 jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)
CVE-2019-10320 jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)
The Jenkins Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins master. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path.
Additionally, they could create credentials from any valid PKCS#12 file on the Jenkins master. With the ability to configure jobs to access these credentials, they could obtain the certificate content.
External References:
https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322
Discussion:
"Any security advisory related updates to Jenkins core or the plugins we include in the OpenSh
http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1322http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1322https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1322
2019-10-10
Published
2022-03-15
Added to CISA KEV
Exploited in the wild