CVE-2019-1405
published 2019-11-12CVE-2019-1405: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP…
PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
29.95%
98.0th percentile
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.
Affected
56 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets Windows 10 builds 17134–18362 (1803–1903) only; validate OS build number in detections — build must be > 17133 and < 18363 ↗
- →Exploit chains CVE-2019-1405 (UPnP Device Host Service → NT AUTHORITY\LOCAL SERVICE) with CVE-2019-1322 (Update Orchestrator Service → NT AUTHORITY\SYSTEM); monitor for unexpected privilege transitions from LOCAL SERVICE to SYSTEM originating from these services ↗
- →Exploit drops two binaries to %TEMP%: the exploit EXE and a payload EXE; monitor for executable creation in %TEMP% followed by execution via cmd.exe with the pattern: cmd.exe /c <exploit>.exe <payload>.exe ↗
- →Exploit is 64-bit only; detections and hunting should focus on x64 process execution ↗
- →Execution is launched from a service context (GUI-less); spawned processes will have no interactive window — look for child processes of services executing from %TEMP% ↗
- ·Metasploit module requires a Meterpreter session type; will not work with shell sessions ↗
- ·CVE-2019-1322 component is confirmed only for Windows 10 builds 1803–1903; exploitation outside this range may fail ↗
- ·Writable directory for exploit/payload staging defaults to %TEMP% but can be overridden via WRITABLE_DIR option ↗
- ·Exploit binary and payload filenames are randomized by default (6–14 alpha chars + .exe) unless overridden by EXPLOIT_NAME / PAYLOAD_NAME options, limiting static filename-based detection ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1405
Remediation Due Date: 2022-04-05
Microsoft
Windows UPnP Service Elevation of Privilege Vulnerability
vendor_msrc·2019-11-12·CVSS 7.8
CVE-2019-1405 [HIGH] Windows UPnP Service Elevation of Privilege Vulnerability
Windows UPnP Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.
The update addresses the vulnerability by correcting how the Windows UPnP service accesses COM objects.
Microsoft Windows: Microsoft Windows
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exp
GHSA
GHSA-jc5j-4728-w8pc: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Win
ghsa_unreviewed·2022-05-24
CVE-2019-1405 [HIGH] CWE-269 GHSA-jc5j-4728-w8pc: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Win
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.
VulnCheck
Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.group-ib.com/media/silence_ta505_attacks_in_europe/; https://go.recordedfuture.com/hubfs/reports/cta-2020-0603.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://www.securin.io/articles/all-about-conti-ransomware/; https://asec.ahnlab.com/en/38156/; https://go.group-ib.c
No detection rules found.
Exploit-DB
Microsoft UPnP - Local Privilege Elevation (Metasploit)
exploitdb·2019-12-30·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft UPnP - Local Privilege Elevation (Metasploit)
Microsoft UPnP - Local Privilege Elevation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/exploit/exe'
class MetasploitModule 'Microsoft UPnP Local Privilege Elevation Vulnerability',
'Description' => %q(
This exploit uses two vulnerabilities to execute a command as an elevated user.
The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
NT AUTHORITY\LOCAL SERVICE
The second (CVE-2019-1322) leverages the Update Orchestrator Service to
elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
),
'Licens
Exploit-DB
Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
exploitdb·2019-11-14·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
---
## EDB Note
Download:
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip
# COMahawk
**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**
## Video Demo
https://vimeo.com/373051209
## Usage
### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)
1. Run COMahawk.exe
2. ???
3. Hopefully profit
or
1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
2. ???
3. Hopefully profit
## Concerns
**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe i
Metasploit
Microsoft UPnP Local Privilege Elevation Vulnerability
metasploit·CVSS 7.8
CVE-2019-1405 [HIGH] Microsoft UPnP Local Privilege Elevation Vulnerability
Microsoft UPnP Local Privilege Elevation Vulnerability
This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.
Talos also released a new set of SNORTⓇ rules that provide covera
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here . We are also disclosing a remote code execution vulnerability in Microso
http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1405
2019-11-12
Published
2022-03-15
Added to CISA KEV
Exploited in the wild