Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's CVE-2020-16938 , I've some idea to do without using 7 zip file manager to read privileged files. And I remember about one of forensics tools for the files system which is called  "Sleuthkit".

I've little experience with that sleuthkit tool when I played some of CTF for the forensics. For this arb file read bug, I will use 3 tools which are mmls, fls and icat from sleuthkit. 

 The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.

mmls : to displays the layout of the partitions in a volume system, which include partition tables and disk labels.

fls :  to lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. If the inode argument is not given, the inode value for the root directory is used. For example, on an NTFS file system it would be 5 and on a Ext3 file system it would be 2.

icat : to opens the named image(s) and copies the file with the specified inode number to standard output.

CVE-2020-16938: Privileged files could be read by opening the device volume. @jonasLyk used 7zip File Manager to read privileged files for the POC.

In this article, I will show that POC without using 7zip File Manager. 

For the first step,  check the volume system of  "\\.\PhysicalDrive0" partition with mmls.

C:\sleuthkit>mmls "\\.\PhysicalDrive0"

Then, you'll see 2 "Basic data partition" volumes and we need to take address of first one without taking frist 0000.  Address is 239616.  After this, we need to find the privileged file address that we want to read using fls and above offset address 239619.

C:\sleuthkit>fls -o 239616 -p -r \\.\physicaldrive0 | findstr /i "config/SAM"

-o 

        The sector offset where the file system starts in the image.

-p

        Display the full path for each entry. 

-r 

        Recursively display directories.

findstr command use for grepping the file name (SAM) that we want. Eg.  you can use file name with extension like  PrivilegedFile.txt.

Then, we will see the address of the file that we want to read. Address of SAM file is 78248 and we don't need to take -128-4. After we got the privileged file address, we can read that file with icat using those addresses.

C:\sleuthkit>icat -o 239616 \\.\physicaldrive0 78248

You can read privileged file directly on command prompt or can read via notepad using this command.

C:\sleuthkit>icat -o 239616 \\.\physicaldrive0 78248 > sam.txt

Boom !!!  you can read any privileged files on the windows system using this bug. 

Thanks for reading. Hope to enjoy it.

by @404death

Disclosures

- CVE-2020-11081

- CVE-2020-8950

- CVE-2021-1642

What is *.local file in windows ?

  The LOCAL file type is primarily associated with DLL Redirection by Microsoft Corporation. 'DLL Hell' is a term, know too well for comfort between Microsoft Windows developers. 'DLL Hell' causes grief and despair when two (2) separate and essentially incompatible versions of a DLL file with the same name are installed with one over-writing the other. This can cause the first program whose DLL got over-written to stop functioning. Enter .local that redirects windows where to search for a specific dll. If a file application.exe.local exists, Windows will first look in that application's directory for the DLL file. If .local is a directory / folder, Windows will search in that directory instead of the application directory.

Ref: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection

comming soon: what can we do with that *.local for windows exploitation?

What is NTDLL.DLL ?

Short Description :
A system-wide DLL, implementing the Windows native API. This is the lowest layer of code which is still in user mode. Its most important role is to make the transition to kernel mode for system call invocation. NTDLL also implements the Heap Manager, the Image Loader and some part of the user-mode thread pool. Although the native API is mostly undocumented.

win32 api : http://undocumented.ntinternals.net/

Local Privilege Escalation in Metasploit Framework Application (Windows)

Version: Metasploit Framework - Rapid7 (Windows)  4.17.0
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Metasploit Framework - Rapid7 (Windows) Local Privilege Escalation through CWE-426(Untrusted Search Path)

When Metasploit Framework install in windows, that installation created 4 services.
Metasploit windows services are automatically run by default (I mean services start/stop by reboot).

Services are running  automatic.

Then, I checked the processes of that 4 services at procmon .  One of those 4 services which is (metasploitProSvc)  is called/loaded taskkill.exe which doesn't exist from other folder with SYSTEM access  when service is stop (or reboot PC). 

......

then, i check the folder permission of taskkill.exe which doesn't exist.

So, authenticated users can access that folder. It mean, all the user (user/guest or admin) who can use metasploit framework in windows pc can exploit this bug.  

Then, I created the payload file as taskkill.exe into the folder "C:\metasploit\postgresql\bin"

payload has been executed.  B00M !!! we g0t system shell .

They acknowledged and appreciated.

logic bugs are fun.
happy hunting.

you can look up here if you're interested in hunting logical bugs.
https://github.com/sailay1996/awesome_windows_logical_bugs

Local Privilege Escalation In EA's Origin Client

Product name: Origin Client (OriginThinSetup)
Product version : 10.5.63.37653
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Origin Client Service DACL Overwrite Elevation of Privilege


Description :

When origin client application is installed, it created 2 different services which are "origin client service" and "origin web helper service" with different privilege that're "NT AUTHORITY\SYSTEM" and "NT AUTHORITY\Local Service". And also that services could be run by everyone. 

Services Access Control

Then, I checked the processes of that 2 services at the process monitor (procmon) and I found some interesting thing that is "origin web helper service" create the file "C:\ProgramData\Origin\local.xml" even it doesn't exit in the folder "C:\ProgramData\Origin\" which can be control by Everyone:(F) . And then , "origin client service" set the permission SetSecurityFile(DACL) to "C:\ProgramData\Origin\local.xml" .

create local.xml

SetSecurityFile(DACL)

So, low privileged users can use this services to set permission (DACL) on High privileged files by creating symbolic link. Then,  I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero to create symbolic link.

I created Hardlink on "C:\ProgramData\Origin\local.xml" to point the file "C:\windows\win.ini" which doesn't have access control by low privileged users. Then, I restart the service.

Set permission(DACL) on privileged file.

B00M !!! I can fully control on that privileged file "C:\windows\win.ini" .

To get SYSTEM shell with this bug,  we can use "from-arbitrary-file-overwrite-to-system" of @decoder_it . I modified it as simple.
FileWrite Weapon: https://github.com/sailay1996/FileWrite2system

To Exploit this bug,
Create hardlink to file "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll", then you can get fully control access on that dll file PrintConfig.dll . After you get fully control , run that powershell script and you will get SYSTEM shell .

nt authority\system

B00m !!!! You g0t SYSTEM shell.

And, I created the fully poc code for this bug.
https://github.com/sailay1996/origin_client_LPE

SYSTEM

pwnedddd !!!!  xD

Thanks for reading
@404death

Local Privilege Escalation In Techsmith's Snagit

Product name : Snagit 2020
Product Version : 20.1.0.4965
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Snagit Local Privilege Escalation through repairing msi installer package


Description :

After the Techsmith's Snagit Application is installed on Windows, an msi file is added to the “c:\windows\installer”(hidden by default) directory. Some of the .msi files in there will auto-elevate when you run them. They do not prompt, even on non-admin which have been discovered by @sandboxescaper .  And also the msi installer package of techsmith corporation doesn't need to run by admin.  So, even users can run installer file, doing file operation at higher privilege with no prompts required.

About bug,
after snagit application installed on windows, a random name *.msi file is added to "C:\windows\installer" directory. Then you can find that techsmith's installer package file in "C:\windows\installer" by using explorer.

Then,
I repair that *.msi file with "C:\windows\installer> msiexec /fa 169a4170.msi" via low privilege account (non admin) and look at the process monitor (procmon) to check the processes of repairing Techsmith installer package.

low privilege account(Non Admin)

                                                     

Repair  Techsmith's installer package

then, check process monitor

and I found some interested things which are msiexec is WriteFiles into the Folder "C:\ProgramData\TechSmith\Snagit 20\" and SetSecurityFile to RegInfo.ini , PrinterPortFile with High privilege SYSTEM access which can be controlled by Everyone.

Everyone:(F) Full control

Then, I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero to create symbolic link.

I created Hardlink to the file "C:\windows\win.ini" which doesn't have access control by low privilege user and repairing the installer package again by running "msiexec /fa 169a4170.msi"

Access is denied by low privilege account

Then, created hardlink to that win.ini and repaired.

Created Hardlink and repair msi

After the repairing is finished,  the file "C:\windows\win.ini" can be access controlled by Everyone.

C:\windows\win.in Everyone:(F)

B00M !!! xD I can fully control that file.

To get SYSTEM shell with that bug,  we can use "from-arbitrary-file-overwrite-to-system" of @decoder_it .
I modified it as simple.
FileWrite Weapon: https://github.com/sailay1996/FileWrite2system

To Exploit this bug,
Create hardlink to file "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll", then you can get fully control access on that dll file PrintConfig.dll . After you get fully control , run that powershell script and you will get SYSTEM shell .

nt authority\system

B00m !!!! You g0t SYSTEM shell.

Thanks for reading.
@404death


One click poc comming soon for this bug.
https://github.com/sailay1996