Friday, February 7, 2020

Privilege Escalation ( FileWrite eop) in AMD User Experience Program Launcher from Radeon Software

Version: AMD User Experience Program Launcher old version, (I forgot to snap).
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: AMD User Experience Program Launcher from Radeon Software Local Privilege Escalation through insecure file move

In these days,
I'm always look at the process monitor (procmon) and I found something which is interesting to me. That something which I found is the processes of AMD User Experience Program Launcher service.

Vulnerability Overview 
AMD User Experience Program Launcher service which is auto start after PC reboot, it service run with AUEPLauncher.exe and that loaded AUEPMaster.exe . And it check 3 folders which are inside "C:\ProgramData\AMD\PPC" after about 30 seconds when service started.

auto start service

that 3 folders are "C:\ProgramData\AMD\PPC\upload\*" , "C:\ProgramData\AMD\PPC\temp\*" and  "C:\ProgramData\AMD\PPC\send\*".


and then "C:\ProgramData\AMD\PPC" can be accessed by buildin user with FullControl and also above 3 folders.


then, I created test file in temp folder "C:\ProgramData\AMD\PPC\temp" and  restart the service and I check the procmon again. And I noticed some interested processes.


When I created file in temp folder "C:\ProgramData\AMD\PPC\temp\hellothere.txt", that created file change (as gz) in "C:\ProgramData\AMD\PPC\temp\hellothere.txt.gz" and then
moved  (SetRenameInformationFile) into *send* folder "C:\ProgramData\AMD\PPC\send\hellothere.txt.gz" with SYSTEM privilege which can be Full controlled by BUILDIN\Users .

Why is this interesting? This presents the opportunity to use Symbolic Links during the move file operation to accomplish a privileged file write. How you might ask? The workflow would be like so:

Create the file in temp folder "C:\ProgramData\AMD\PPC\send\eop_filewrited.pwn" and it will move to send folder as gz file "C:\ProgramData\AMD\PPC\send\eop_filewrited.pwn.gz".
So, create a Symbolic Link on "C:\ProgramData\AMD\PPC\send\eop_filewrited.pwn.gz" that points to "C:\Windows\System32\evil_filewrited.txt" It should be noted that "C:\Windows\System32\evil_filewrited.txt" doesn't exist. And It's will write as C:\Windows\System32\evil_filewrited.txt with SYSTEM privilege which can be FullControl accessed by users.

Symbolic link:


recommend to read about symlink: James Forshaw's A Link to the past .

I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero.

Poc:
echo test123 > C:\ProgramData\AMD\PPC\temp\eop_filewrited.pwn
del /q C:\ProgramData\AMD\PPC\send\*
rmdir /q C:\ProgramData\AMD\PPC\send
CreateSymlink.exe C:\ProgramData\AMD\PPC\send\eop_filewrited.pwn.gz C:\windows\system32\evil_filewrited.txt

and restart the service (or reboot).


wait about 30 seconds after service restarted.


Get FullControl access on "C:\windows\system32\evil_filewrited.txt".

Then, I created the exploit poc script and I used @itm4n's UsoDllLoader  as a privileged filewrite weapon to get system shell.
my poc scripthttps://github.com/sailay1996/amd_eop_poc


B00M !!!

logic bugs are fun.
happy hunting.

you can look up here if you're interested in hunting logical bugs.
https://github.com/sailay1996/awesome_windows_logical_bugs




No comments:

Post a Comment

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...