[BUG] An exception occurred while trying to decrypt policy response

[jbfuzier]

Describe the bug
Hi,

I get an error when running get secrets. It seems the server response is invalid (pkcs7EnvelopedCms.Decode raises an ASN1 related issue).

** SharpSCCM version**
Last version compiled with VS Version 17.4.4.

** Management point server specs (please complete the following information):**

• OS: 2012R2
• ConfigMgr Version : Unknown (I can dig to get the information if it is usefull)

Client specs (please complete the following information):

• OS: Windows 10
• ConfigMgr Version 5.00.9088.1025

Additional context

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: XXXXXXXX.mydomain.com
[+] Site code: PAF
SharpSCCM.exe Information: 0 : [DEBUG] Searching for certificate matching FindByApplicationPolicy value '1.3.6.1.4.1.311.101' in store 'SMS' at LocalMachine
SharpSCCM.exe Information: 0 : [DEBUG] Found 1 certificate matches.
SharpSCCM.exe Warning: 0 : Found certificate CN=SMS, CN=PC01 (YYYYYYYYYYYYYYYYYY). Certificate does not contain Client Authentication capability but "onlyReturnClientAuthCertificates" is false. Returning certificate anyway.
SharpSCCM.exe Information: 0 : [DEBUG] X509CertificateProvider.ctor(): IsCsp = False IsKsp = True HasPrivateKey = True ProviderName = Microsoft Platform Crypto Provider
[+] Obtained SMS Signing Certificate from local computer certificates store
SharpSCCM.exe Information: 0 : [DEBUG] Searching for certificate matching FindByApplicationPolicy value '1.3.6.1.4.1.311.101.2' in store 'SMS' at LocalMachine
SharpSCCM.exe Information: 0 : [DEBUG] Found 1 certificate matches.
SharpSCCM.exe Warning: 0 : Found certificate CN=SMS, CN=PC01 (ZZZZZZZZZZZZZZZ). Certificate does not contain Client Authentication capability but "onlyReturnClientAuthCertificates" is false. Returning certificate anyway.
SharpSCCM.exe Information: 0 : [DEBUG] X509CertificateProvider.ctor(): IsCsp = False IsKsp = True HasPrivateKey = True ProviderName = Microsoft Software Key Storage Provider
[+] Obtained SMS Encryption Certificate from local computer certificates store
[+] Connecting to \\127.0.0.1\root\CCM
[+] Obtained SmsId from local host: GUID:XXXXX-XXXX-XXXX-XXXX-XXXXXXX
SharpSCCM.exe Information: 0 : [DEBUG] In SynchronousMessageRequest..ctor
SharpSCCM.exe Information: 0 : [DEBUG] Encoding: System.Text.UnicodeEncoding
SharpSCCM.exe Information: 0 : Certificate Purpose flags are: Signing
SharpSCCM.exe Information: 0 : [DEBUG] Flags for message ConfigMgrPolicyAssignmentRequest are SigningRequired
SharpSCCM.exe Information: 0 : [DEBUG] No SigningSmsId is set for message and message does not explicitly reject signing.
    SharpSCCM.exe Information: 0 : [DEBUG] SigningSmsId is being set to SmsId.
SharpSCCM.exe Information: 0 : [DEBUG] Message Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentRequest will be signed: True
[+] Obtaining Full Machine policy assignment from XXXXXXXX.mydomain.com PAF
SharpSCCM.exe Information: 0 : Sending message 'Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentRequest' via sender 'Microsoft.ConfigurationManagement.Messaging.Sender.Http.HttpSender'. Message type: 'Sync'
SharpSCCM.exe Information: 0 : Validating message settings
    SharpSCCM.exe Information: 0 : Message 'Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentRequest' support status: 'Supported'. Message is supported and any functionality issues should be reported as bugs.
    SharpSCCM.exe Information: 0 : [DEBUG] Flags for message ConfigMgrPolicyAssignmentRequest are SigningRequired
    SharpSCCM.exe Information: 0 : [DEBUG] Message Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentRequest will be signed: True
    SharpSCCM.exe Information: 0 : [DEBUG] Get certificate for Signing returned YYYYYYYYYYYYYYYYYY
    SharpSCCM.exe Information: 0 : [DEBUG] 0 validation exceptions were handled during validation process.
SharpSCCM.exe Warning: 0 : User policy request and no UserInformation specified. Using current machine information.
SharpSCCM.exe Information: 0 : [DEBUG] Serialization flags for message Microsoft.ConfigurationManagement.Messaging.Messages.PolicyAssignmentRequestAssignments are: None
SharpSCCM.exe Information: 0 : [DEBUG] Payload bytes are being set.
SharpSCCM.exe Information: 0 : [DEBUG] AuthenticationType is: Automatic. Credentials are: null
SharpSCCM.exe Information: 0 : [DEBUG] Returning /ccm_system/request VDIR
SharpSCCM.exe Information: 0 : [DEBUG] MessageVerb is: CCM_POST
SharpSCCM.exe Information: 0 : [DEBUG] ManagementPointUriPath is: /ccm_system/request
SharpSCCM.exe Information: 0 : [DEBUG] Using URI http://XXXXXXXX.mydomain.com/ccm_system/request
SharpSCCM.exe Information: 0 : [DEBUG] Message timeout is: 60000ms
SharpSCCM.exe Information: 0 : [DEBUG] AllowProxyTraversal == true. This means that the sender will use the current proxy settings for the request which may lead to undesired results.
SharpSCCM.exe Information: 0 : [DEBUG] Using CCM_POST method to send data to web server
SharpSCCM.exe Information: 0 : [DEBUG] Message is a standard MP message.
    SharpSCCM.exe Information: 0 : [DEBUG] Flags for message ConfigMgrPolicyAssignmentRequest are SigningRequired
    SharpSCCM.exe Information: 0 : [DEBUG] Message Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentRequest will be signed: True
    SharpSCCM.exe Information: 0 : Signing message
    SharpSCCM.exe Information: 0 : [DEBUG] Flags for message ConfigMgrPolicyAssignmentRequest are SigningRequired
    SharpSCCM.exe Information: 0 : [DEBUG] Message Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentRequest will be signed: True
    SharpSCCM.exe Information: 0 : [DEBUG] Performing "mixed mode" signing of message
    SharpSCCM.exe Information: 0 : [DEBUG] Get certificate for Signing returned YYYYYYYYYYYYYYYYYY
    SharpSCCM.exe Information: 0 : [DEBUG] [Microsoft.ConfigurationManagement.Messaging.Framework.MessageHashAlgorithmCng IsCsp=False IsKsp=True] Signing 780 bytes using algorithm: SHA256
    SharpSCCM.exe Information: 0 : [DEBUG] Get certificate for Signing returned YYYYYYYYYYYYYYYYYY
    SharpSCCM.exe Information: 0 : [DEBUG] [Microsoft.ConfigurationManagement.Messaging.Framework.MessageHashAlgorithmCng IsCsp=False IsKsp=True] Signing 84 bytes using algorithm: SHA256
SharpSCCM.exe Information: 0 : [DEBUG] Serialization flags for message Microsoft.ConfigurationManagement.Messaging.Framework.ManagementPoint.MPMessageBodyOutgoing are: None
SharpSCCM.exe Information: 0 : [DEBUG] Serialization flags for message Microsoft.ConfigurationManagement.Messaging.Framework.ManagementPoint.MPHookClientAuth are: None
SharpSCCM.exe Information: 0 : [DEBUG] CCM_POST: payload size 6196
SharpSCCM.exe Information: 0 : HTTP response status code is: OK
SharpSCCM.exe Information: 0 : [DEBUG] Cloning message
SharpSCCM.exe Information: 0 : [DEBUG] Flags for message ConfigMgrPolicyAssignmentReply are SigningRequired
SharpSCCM.exe Information: 0 : [DEBUG] No SigningSmsId is set for message and message does not explicitly reject signing.
    SharpSCCM.exe Information: 0 : [DEBUG] SigningSmsId is being set to SmsId.
SharpSCCM.exe Information: 0 : [DEBUG] Message 'Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentReply' is a reply type that requires signing, but site code isn't sent. Client will likely reject message.
SharpSCCM.exe Information: 0 : [DEBUG] Message Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrPolicyAssignmentReply will be signed: True
SharpSCCM.exe Information: 0 : [DEBUG] Not cloning property Endpoint because it is a special message-specific property
SharpSCCM.exe Information: 0 : [DEBUG] Not cloning property ReplyEndpoint because it is a special message-specific property
SharpSCCM.exe Information: 0 : [DEBUG] byteStream has an 0xfffe BOM, stripping out the first two bytes.
SharpSCCM.exe Information: 0 : [DEBUG] MIME type is parsed as: Text
SharpSCCM.exe Information: 0 : [DEBUG] MIME sub-type is parsed as: plain
SharpSCCM.exe Information: 0 : [DEBUG] MIME type is parsed as: Application
SharpSCCM.exe Information: 0 : [DEBUG] MIME sub-type is parsed as: octet-stream
SharpSCCM.exe Information: 0 : [DEBUG] 2 MIME blobs in reply
SharpSCCM.exe Information: 0 : [DEBUG] Message is a Msg message, second element has the body
SharpSCCM.exe Warning: 0 : No certificate of type ManagementPointSigning was found.
SharpSCCM.exe Information: 0 : [DEBUG] Got return message (size: 1243300)
SharpSCCM.exe Information: 0 : [DEBUG] Not cloning property Endpoint because it is a special message-specific property
SharpSCCM.exe Information: 0 : [DEBUG] Not cloning property ReplyEndpoint because it is a special message-specific property
SharpSCCM.exe Information: 0 : [DEBUG] Not cloning SenderProperties because CloneSenderSettings is not specified.
SharpSCCM.exe Information: 0 : [DEBUG] Payload has changed, re-generating the payload string.
SharpSCCM.exe Error: 0 : Input stream passed to StripBom(byte[]) that does not meet criteria for BOM stripping. Returning original byte stream to caller.
[+] Found 409 policy assignments
[+] Found policy containing secrets:
      ID: {BBBBBBBBBBBBBBBBBBBBBBBBBBBB}
      Flags: RequiresAuth, Secret, IntranetOnly, PersistWholePolicy
      URL: http://<mp>/SMS_MP/.sms_pol?{BBBBBBBBBBBBBBBBBBBBBBBBBBBB}.2_00
SharpSCCM.exe Information: 0 : [DEBUG] [Microsoft.ConfigurationManagement.Messaging.Framework.MessageHashAlgorithmCng IsCsp=False IsKsp=True] Signing 126 bytes using algorithm: SHA256
[+] Adding authentication headers to download request:
      ClientToken: GUID:XXXXX-XXXX-XXXX-XXXX-XXXXXXX;2023-09-12T13:49:25Z
      ClientTokenSignature: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] Received encoded response from server for policy {BBBBBBBBBBBBBBBBBBBBBBBBBBBB}
[!] An exception occurred while trying to decrypt policy response: ASN1 de valeur de balise incorrecte.

[+] Completed execution in 00:00:01.4846978

[0xElessar]

unfortunately, I have the same problem :(

[Mayyhem]

Hey, sorry for the massive delay, but I finally have time to work on this next week and have the same issue in one of my labs, so I think I should be able to figure it out.

[0xElessar]

Thank you, @Mayyhem . Much appreciated.

In my case, the local commands worked perfectly, which allowed to extract the NAA account, which has local admin privileges on the SCCM main box :)

Not sure, how much different info I would get from the 'get secrets', but it would be great to check.

thanks again for great tool!

[Mayyhem]

Eyyyy that's awesome to hear it worked well for you and you were able to get on the site server @0xElessar, thanks for sharing! It's very likely the info would be the same from get secrets, but there are cases when it wouldn't match, like if a secret had been added to your machine by the server but the machine hadn't fetched policy since the change. The get secrets command is useful when you don't have local admin privileges but can create a machine account. If you're not admin and can't create a machine account, check out fortra/impacket#1425.

[Mayyhem]

Also it's absolute madness how many reports I get on that account having SCCM admin privs... it's like mailing your house keys to everyone in your city.

[0xElessar]

Eyyyy that's awesome to hear it worked well for you and you were able to get on the site server @0xElessar, thanks for sharing! It's very likely the info would be the same from get secrets, but there are cases when it wouldn't match, like if a secret had been added to your machine by the server but the machine hadn't fetched policy since the change. The get secrets command is useful when you don't have local admin privileges but can create a machine account. If you're not admin and can't create a machine account, check out fortra/impacket#1425.

Fantastic. Thank you. Great to know!

[Mayyhem]

Just wanted to post an update. I see this issue in my lab running ConfigMgr 2303 on one system but not others and don't see it at all in another lab running 2309. I have not been able to identify the root cause and resolve it yet, but I will keep you posted.

[Mayyhem]

I think the issue may be fixed in https://github.com/Mayyhem/SharpSCCM/tree/2.0.4, so check that out if you need a quick fix, but I need to do further testing before merging into main. I think maybe in some cases the same certificate can be used for signing and encryption and in some cases it can't.

[0xElessar]

Thank you, @Mayyhem . I will check that as soon as possible.

UPDATE: unfortunately, the new version kills my beacon for some reason (event viewer reports unhandled exception in the decompressXMLNodes). Running through a beacon, is the only way for me to check.

[Mayyhem]

@0xElessar Thanks for checking it out! I'll run it through beacon next chance I have and see if I can reproduce and fix the issue you're seeing. Really appreciate you putting an extra pair of eyes on this!

[0xElessar]

My pleasure @Mayyhem. To be honest, I don't think this is a beacon fault. I used Brute-Ratel C2 in this case. But I am suspecting the SCCM config on the customer site is unusual/old, which triggers the exception in the decompressXMLNodes function/method. This exception was clearly logged in the Application Event Log. If you don't mind checking the exception handler in this function, that would be great :) Thank you for the tool, again! Extremely helpful.

[Mayyhem]

@0xElessar does running SharpSCCM with the --debug option provide any additional details in the full stack trace, or is that not possible before the agent crashes? Is dropping the binary to disk out of the question?

Another idea I have is to compile the version of SharpSCCM just before Carsten implemented the built-in NAA decryption (where DecompressXMLNodes was introduced) to see if there are issues (https://github.com/Mayyhem/SharpSCCM/blob/54aaccdfeeca92b5264f2c1fc244c9368fdfd040/lib/MgmtPointMessaging.cs). Recovered credentials can be deobfuscated using https://github.com/Mayyhem/SharpSCCM/tree/main/DeobfuscateSecretString.

[Mayyhem]

I will take a look at implementing better exception handling as well, although I'm not sure how to get the output needed to fix the issue before the agent crashes. I could probably create a branch that just dumps the XML and skips the rest of the function so we can see if it's compressed in some unexpected way? If we can get the XML that decompression fails on, I should be able to debug more thoroughly on my end.

[0xElessar]

@Mayyhem , I really appreciate your effort here. Big thank you! I will come back to that environment in a few weeks and will make more tests definitely. For now, I don't have access unfortunately. I think the SharpSCCM crashes first, because I could find the application crash in the Event Log (with references to the decompressXMLNodes). I will use the --debug option next time I run it definitely.

EDR is running there, so dropping the binary will be challenging and require additional time to implement some obfuscation. :/

[Mayyhem]

As long as stealth isn't a huge issue, I could write a stub that only includes the code necessary to request and dump the XML pretty quickly, which would be unlikely to trigger default EDR detections. When you're back in the environment, please let me know and I'd be happy to troubleshoot further if you have the time. I'm also available as Mayyhem on the BloodHoundGang Slack if you want to chat in real time. Thanks for all your help!

[0xElessar]

Thank you, @Mayyhem . Much appreciated. I will do that :)

[Mayyhem]

I tested this in two labs today and a colleague's testing was successful as well, so I merged this fix into main in PR #48. Thanks again for the report!