exploiting errors in windows error reporting€¦ · wermgr dacl overwrite does wermgr.exe later...
TRANSCRIPT
Exploiting Errors in Windows Error ReportingGal De Leon (@galdeleon)BlueHatIL 2020
Who am I?● Gal De Leon
● Principal security researcher @ PaloAltoNetworks Anti-Exploit Team
● Interested in fuzzing, vulnerabilities, exploits and mitigations
● MSRC MVSR 10th place 2018 & 2019○ ~35 vulnerabilities
2
Agenda● What are privileged filesystem access bugs?
● Overview of Windows Error Reporting
● Vulnerabilities & exploits in WER
3
File Access
CreateFile(WRITE)Gdl.exe(Standard User)
C:\Windows\System32\Driverspci.sys
4
C:\Windows\System32\Drivers
File Access
5
CreateFile(WRITE)Gdl.exe(Standard User)
C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sysc:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)
C:\Windows\System32\Cmd.exe
pci.sys
File Access
ACCESS_DENIED
6
CreateFile(WRITE)Gdl.exe(Standard User)
C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sysc:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)
C:\Windows\System32\Cmd.exe
C:\Windows\System32\Driverspci.sys
File Access
7
CreateFile(WRITE)MySrv.exe(LocalSystem)
C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sysc:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)
C:\Windows\System32\Cmd.exe
C:\Windows\System32\Driverspci.sys
Privileged Filesystem Access Bugs
● Ask a privileged component (service, driver, etc) to access a file for us,
that we couldn’t access otherwise
8
C:\Windows\System32\Driverspci.sys
Bug Example #1 - PleaseWriteFileForMe()
Gdl.exe(Standard User)
MySrv.exe(LocalSystem)
RPC: PleaseWriteFileForMe(“C:\Windows\System32\Drivers\pci.sys”, buffer);
*MySrv.exe doesn’t use impersonation (RPC)
RPC CreateFile(WRITE)
9
C:\LogsGdl.log
Bug Example #2 - WriteLogFile()
Gdl.exe(Standard User)
MySrv.exe(LocalSystem)
RPC: WriteLogFile(“Gdl.log”, buffer);
*MySrv.exe doesn’t use impersonation (RPC)
RPC CreateFile(WRITE)
10
C:\LogsGdl.log
Bug Example #2 - WriteLogFile()
Gdl.exe(Standard User)
MySrv.exe(LocalSystem)
RPC: WriteLogFile(“Gdl.log”, buffer);
*MySrv.exe doesn’t use impersonation (RPC)
RPC CreateFile(WRITE)
11
c:\Logs>icacls c:\Logsc:\Logs Everyone:(OI)(CI)(F)
C:\Windows\System32\Cmd.exe
C:\Windows\System32\Driverspci.sys
C:\LogsGdl.log
Bug Example #2 - WriteLogFile()
Gdl.exe(Standard User)
NTFS Hardlink
CreateLink
12
C:\LogsGdl.log
C:\Windows\System32\Driverspci.sys
Gdl.exe(Standard User)
MySrv.exe(LocalSystem)
RPC: WriteLogFile(“Gdl.log”, buffer);
RPC CreateFile(WRITE)
Bug Example #2 - WriteLogFile()
13
NTFS Hardlink
Privileged Filesystem Access Bugs● General definition
○ A privileged component operates on a file (read, write, delete, set-dacl, ..)
○ As LocalSystem (+ no impersonation)
○ File path is controlled, or can be redirected using a link
● Could lead to privilege escalation○ Classic Example- Overwrite an executable file that later runs as LocalSystem
● Disclaimers - ○ Links creation requires running at MediumIL (cannot exploit sandboxes < MediumIL)
○ Windows Insider Preview (WIP) April 2019 - Hardlinks mitigation
14
Windows Error Reporting Overview
15
Gdl.exe(Standard User)
What Happens When a Process Crashes?
XOR RAX, RAXMOV [RAX], 1337h
16
What Happens When a Process Crashes?
Kernelbase!UnhandledExceptionHandler
Kernel32!WerpReportFault
Gdl.exe(Standard User)
XOR RAX, RAXMOV [RAX], 1337h
17
What Happens When a Process Crashes?
Ntdll!SignalStartWerSvc
WNF(WNF_WER_SERVICE_START)
Kernelbase!UnhandledExceptionHandler
Kernel32!WerpReportFault
Gdl.exe(Standard User)
XOR RAX, RAXMOV [RAX], 1337h
svchost.exe(WerSvc)
...
18
What Happens When a Process Crashes?
ALPCGdl.exe(Standard User)
svchost.exe(WerSvc)
19
What Happens When a Process Crashes?
Faultrep!WerpCreateCrashVerticalProcess
WerSvc!CWerService::SvcReportCrash
Kernel32!CreateProcessAsUser
ALPCGdl.exe(Standard User)
svchost.exe(WerSvc)
20
Faultrep!WerpCreateCrashVerticalProcess
WerSvc!CWerService::SvcReportCrash
Kernel32!CreateProcessAsUser
What Happens When a Process Crashes?
ALPCGdl.exe(Standard User)
svchost.exe(WerSvc)
WerFault.exe(Standard User)
21
Parent: Gdl.exeChild: WerFault.exe
What Happens When a Process Crashes?
Gdl.exe(Standard User)
Collect data, exception info, memory dump, ..
22
WerFault.exe(Standard User)
What Happens When a Process Crashes?
Gdl.exe(Standard User)
WerFault.exe(Standard User)
Create Directory
C:\ProgramData\Microsoft\Windows\WER
ReportArchive\
ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\
Temp\
23
What Happens When a Process Crashes?
Gdl.exe(Standard User)
WerFault.exe(Standard User)
C:\ProgramData\Microsoft\Windows\WER
ReportArchive\
ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer ... Temp\
Version=1EventType=WindowsFailureEventType=13133355343ReportType=1..
Create Report File
24
What Happens When a Process Crashes?
Microsoft CloudGdl.exe(Standard User)
WerFault.exe(Standard User)
C:\ProgramData\Microsoft\Windows\WER
ReportArchive\
ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer ... Temp\
Upload Report Data
25
C:\ProgramData\Microsoft\Windows\WER\
ReportArchive\AppCrash_Gdl.exe_A_B_C_D\
Report.wer ... ReportQueue\
Temp\
What Happens When a Process Crashes?
Gdl.exe(Standard User)
WerFault.exe(Standard User)
Move Report Directory
26
C:\ProgramData\Microsoft\Windows\WER
ReportArchive\AppCrash_Gdl.exe_A_B_C_D\
Report.wer ... ReportQueue\
Temp\
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
No Internet Connection?● WerFault.exe keeps report directory under ‘ReportQueue’
● At a later time, ‘Windows Error Reporting\QueueReporting’ scheduled task
will report it using ‘WerMgr.exe -upload’
Microsoft Cloud
Wermgr.exe(LocalSystem)
27
Why is WER Prone to Privileged Filesystem Access Bugs?● Many of WER components run as LocalSystem
○ WerSvc.dll, WerMgr.exe, WerFault.exe(?)
● They allow any user to interact with them ○ WerSvc ALPC port -> writable for everyone
○ QueueReporting scheduled task -> can be executed on demand by everyone
○ C:\ProgramData\Microsoft\Windows\WER\.. -> writable for everyone
● LocalSystem components operate on the files under WER directories○ Can be abused using filesytem links
28
Vulnerabilities & Exploits in WER
Vuln #1: WerSvc!CollectMemoryInfo File Overwrite● Warm up bug :)
● CVE-2019-1342
● Can be reached through WerSvc ALPC port
● Impact: overwrite arbitrary files as LocalSystem, content is partially
controlled
30
ALPC
ALPC:MessageIDArgs
Exploit.exe(Standard User)
svchost.exe(WerSvc)
31
ALPC
ALPC:0xF0030002
Exploit.exe(Standard User)
svchost.exe(WerSvc)
32
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
ALPCExploit.exe(Standard User)
svchost.exe(WerSvc)
33
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
ALPCExploit.exe(Standard User)
svchost.exe(WerSvc)
WerSvc!UtilGetTempFile(OUT &FilePath)
CreateFile
CloseHandle
34
WerTempDirWER120.tmp.txt
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
ALPCExploit.exe(Standard User)
svchost.exe(WerSvc)
WerSvc!UtilCollectSystemInfo(FilePath)
CreateFile
WriteFile
35
WerTempDirWER120.tmp.txt
Vulnerable Pattern ...● CreateFile
● CloseFile
● CreateFile
● WriteFile
36
Vulnerable Pattern ...● CreateFile
● CloseFile
● CreateFile
● WriteFile
Create Link
37
ReadDirectoryChanges
Exploit.exe(Standard User)
WerTempDir
38
Exploit.exe(Standard User)
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
svchost.exe(WerSvc)
WerTempDir
ALPC
39
ReadDirectoryChanges
Exploit.exe(Standard User)
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
svchost.exe(WerSvc)
WerSvc!UtilGetTempFile(OUT &FilePath)
WerTempDirCreateFile
WER280.tmp.txt
ALPC
40
ReadDirectoryChanges
WerTempDirWER280.tmp.txt
Exploit.exe(Standard User)
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
svchost.exe(WerSvc)
WerSvc!UtilGetTempFile(OUT &FilePath)
CreateFile
ReadDirectoryChangesNew File is Created!Filename is ‘WER280.tmp.txt”
ALPC
41
WerTempDir
Create Link(Loop)
Exploit.exe(Standard User)
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
svchost.exe(WerSvc)
WerSvc!UtilGetTempFile(OUT &FilePath)
NTFS Hardlink
CreateFile
CloseHandle
ALPC
42
C:\Windows\System32\Drivers
pci.sys
WER280.tmp.txt
C:\Windows\System32\Drivers
pci.sys
Exploit.exe(Standard User)
WerSvc!CollectMemoryInfo
CWerService::DispatchPortRequestWorkItem
svchost.exe(WerSvc)
WerSvc!UtilCollectSystemInfo(FilePath)
WerTempDirCreateFile
WriteFile
ALPC
43
WER280.tmp.txtNTFS
Hardlink
C:\Windows\System32\Drivers
pci.sys
WerSvc!CollectMemoryInfo File Overwrite● Spot vulnerability pattern with Sysinternals ProcMon
○ CreateFile twice
● I didn’t exploit this to full privesc exploit○ Requires larger degree of control overwrite content
○ Still enough for MSRC to assign a CVE
44
Vuln #2: WerMgr!PreparePathForDeletion DACL Overwrite
45
Run ‘QueueReporting’ Schedule Task(Can be done from Standard User, MediumIL)
WerMgr.exe(LocalSystem)
46
WerMgr.exe(LocalSystem)
WerMgr!DoCoreUpload
Wer!WerpSubmitReportFromStore
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
Enumerate pending reports
47
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
WerMgr!DoCoreUpload
Wer!WerpSubmitReportFromStoreRead, parse
48
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
WerMgr!DoCoreUpload
Wer!WerpSubmitReportFromStoreRead, parse
Version=MALFORMED13371337EventType=WindowsFailureReportType=1345234234234======33432234===234 MALFORMED-REPORT
49
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
WerMgr!DoCoreUpload
Wer!WerpSubmitReportFromStore
WerMgr!UtilRecursiveRemoveDirectory
50
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
WerMgr!DoCoreUpload
Wer!WerpSubmitReportFromStore
WerMgr!UtilRecursiveRemoveDirectory WerMgr!PreparePathForDeletion(FilePath)
51
For each file ..
Int64 PreparePathForDeletion(WCHAR* FilePath) {
} 52
Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD);
} 53
Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); // Add Delete Permissions … SetEntriesInAcl(...); // DACL = Orig + Delete for System ... SetSecurityDesciptorDacl(SD, …);
}54
Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); // Add Delete Permissions … SetEntriesInAcl(...); ... SetSecurityDesciptorDacl(SD, …);
// Apply the modified DACL SetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); …}
55
Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD);
SetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); …} 56
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
Version=MALFORMED13371337EventType=WindowsFailureReportType=1345234234234======33432234===234 MALFORMED-REPORT
57
Exploit.exe(Standard User)
Exploit.exe(Standard User)
Run ‘QueueReporting’ Scheduled Task
WerMgr.exe(LocalSystem)
58
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
Version=MALFORMED13371337EventType=WindowsFailureReportType=1345234234234======33432234===234 MALFORMED-REPORT
WerMgr.exe(LocalSystem)
Read corrupted report
59
Exploit.exe(Standard User)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
GetFileSecurity(“.. AppCrash_Gdl.exe_A_B_C_D\Report.wer”, &Dacl);
60
Exploit.exe(Standard User)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
C:\Windows\System32\Driverspci.sys
Create Link
NTFS Hardlink
61
Exploit.exe(Standard User)
C:\Windows\System32\Driverspci.sys
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem) NewDacl = Everyone + LocalSystem Delete
62
Exploit.exe(Standard User)
NTFS Hardlink
C:\Windows\System32\Driverspci.sys
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe(LocalSystem)
63
SetFileSecurity(“...Report.wer”, NewDacl);
Exploit.exe(Standard User)
NTFS Hardlink
C:\Windows\System32\Driverspci.sys
CreateFile(W), WriteFile, ..
64
Exploit.exe(Standard User)
WerMgr DACL Overwrite ● Does WerMgr.exe later delete ‘pci.sys’?
○ No - WerMgr.exe checks if it is a link before deleting the file
○ No - Hardlinks don’t work that way (more about that later)
● Is it hard to win the race condition?○ Yes!
○ But .. You can try for many times until it works (few seconds up to ~5 minutes)
● To get privesc, what file should we target?○ DLL that later gets loaded by a System process
○ Technique by James Forshaw of GPZ
■ https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
65
Vuln #3: Wer!WerpCleanWer Arbitrary File Deletion● CVE-2019-1037
● wer.dll (common utils used by all WER components)
● Impact: delete any file you want as LocalSystem
66
How to Exploit File Deletion Bugs?
67
Gdl.exe(Standard User)
C:\Program Files\MyAppGdl.dll
C:\LogsGdl.log
Create Link
● File deletion bugs cannot be exploited using NTFS hardlinks
NTFS Hardlink
C:\Logs C:\Program Files\MyApp
How to Exploit File Deletion Bugs?
68
Gdl.dllGdl.log
MySrv.exe:DeleteFile(“C:\Logs\Gdl.log”)
NTFS Hardlink
● File deletion bugs cannot be exploited using NTFS hardlinks
DeleteFileMySrv.exe(LocalSystem)
How to Exploit File Deletion Bugs?
69
C:\Program Files\MyAppGdl.dll
C:\Logs
● File deletion bugs cannot be exploited using NTFS hardlinks
DeleteFileMySrv.exe(LocalSystem)
MySrv.exe:DeleteFile(“C:\Logs\Gdl.log”)
How to Exploit File Deletion Bugs?
70
C:\Program Files\MyAppGdl.dll
C:\Logs
● File deletion bugs cannot be exploited using NTFS hardlinks
● Hardlinks are like “giving one file multiple names”○ If you delete “one name”, you don’t delete the others
● Use other links primitive to exploit deletion bugs - directory junctions
DeleteFileMySrv.exe(LocalSystem)
MySrv.exe:DeleteFile(“C:\Logs\Gdl.log”)
Junctions● “Symlinks“ between directories
71
Gdl.exe(Standard User)
C:\Program Files\MyAppGdl.dll
C:\Logs
Gdl.exe:Create Junction “C:\Logs” => “C:\Program Files\MyApp”
Create Junction Junction
● DeleteFile(‘C:\Logs\Gdl.dll’) => ‘C:\Program Files\MyApp\Gdl.dll’
Junctions
72
C:\Program Files\MyAppGdl.dll
C:\Logs
MySrv.exe:DeleteFile(“C:\Logs\Gdl.dll”)
DeleteFileMySrv.exe(LocalSystem)
Junction
● DeleteFile(‘C:\Logs\Gdl.dll’) => ‘C:\Program Files\MyApp\Gdl.dll’
● Path rewrite at directory level○ ‘C:\Logs’ => ‘C:\Program Files\MyApp’
Junctions
73
C:\Program Files\MyAppGdl.dll
C:\LogsDeleteFileMySrv.exe(LocalSystem)
MySrv.exe:DeleteFile(“C:\Logs\Gdl.dll”)
Junction
Junctions Creation Requirements● To create a junction, the source directory (C:\Logs) must be-
○ Writable
○ Empty
○ No open handles
74
Gdl.exe(Standard User)
C:\Program Files\MyAppGdl.dll
C:\LogsCreate Junction Junction
CVE-2019-1037
Run ‘QueueReporting’ Scheduled Task(Can be done from Medium integrity)
75
WerMgr.exe(LocalSystem)
CVE-2019-1037
WerMgr!WinMain
Wer!WerpCleanWer
76
Run ‘QueueReporting’ Scheduled Task(Can be done from Medium integrity)
WerMgr.exe(LocalSystem)
CVE-2019-1037
77
WerMgr!WinMain
Wer!WerpCleanWer
WerMgr.exe(LocalSystem)
Wer!WerpCleanWer deletes all old files in ‘C:\ProgramData\Microsoft\Windows\WER\Temp’ directory.
Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);
}
78
Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);
}
79
Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime);
}
80
Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime);
}Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) {
WIN32_FIND_DATA FileData;EnumHandle = FindFirstFile(TempDirPath.., &FileData);do {
} while (FindNextFile(EnumHandle, &FileData);} 81
Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime);
}Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) {
WIN32_FIND_DATA FileData;EnumHandle = FindFirstFile(TempDirPath.., &FileData);do {
If ( .. Path is a file, and LastWriteTime is old enough .. ) {DeleteFile(..FileData.cFileName);
}} while (FindNextFile(EnumHandle, &FileData);
} 82
Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime);
}Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) {
WIN32_FIND_DATA FileData;EnumHandle = FindFirstFile(TempDirPath.., &FileData);do {
If ( .. Path is a file, and LastWriteTime is old enough .. ) {DeleteFile(..FileData.cFileName);
}} while (FindNextFile(EnumHandle, &FileData);
} 83
Exploiting CVE-2019-1037● Create a junction between WerTempDir => ‘C:\Program Files\MyApp’
● Run ‘QueueReporting’ scheduled task
● All the old files in ‘MyApp’ directory will be deleted!
84
WerMgr.exe(LocalSystem) WerTempDir C:\Program Files\MyApp
App.exeGdl.dll...
Junction
Wer!UtilPruneFolderOfOldFiles
CVE-2019-1037 - Can We Improve the Exploit?● What if want to delete only a single file?
● That is not old enough …?
● Open the possibility for DLL-hijacking attack○ LoadLibrary search order
85
C:\Program Files\MyAppApp.exeGdl.dll...
86
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
87
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
Create directory & files
88
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
Modify the files LastWriteTime using kernel32!SetFileTime
89
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
Run ‘QueueReporting’ Scheduled Task
90
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
Wer!UtilGetPathOfWERTempDirectory
WerTempDir
91
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dllCreate Junction
WerMgr.exe(LocalSystem)
WerTempDir Junction
92
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir
Wer!UtilPruneFolderOfOldFiles
FindFirstFile(WerTempDir)FindNextFile(Handle to C:\MyDir)
Junction
93
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir Junction
Wer!UtilPruneFolderOfOldFiles
C:\MyDir\A.txt’s LastWriteTime is old enough!It will be deleted
DeleteFile(“WerTempDir\A.txt”)
94
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir
Switch Junction
Switch junction from WerTemp=>MyDir to WerTempDir => C:\Program Files\MyApp
WerTempDir is writable & empty~!No open handle to WerTempDir!
Junction
95
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirGdl.dll
WerMgr.exe(LocalSystem)
Wer!UtilPruneFolderOfOldFiles
FindFirstFile/FindNextFile doesn’t reopen WerTempDir
‘C:\MyDir\Gdl.dll’ LastWriteTime is old enough!
FindNextFile => C:\MyDir\Gdl.dll(Handle to C:\MyDir)
96
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir
Junction
Wer!UtilPruneFolderOfOldFiles
DeleteFile(“WerTempDir\Gdl.dll”)
Is There a Better Way to Win the Race?● Exploit works, but we need to switch the junction at the right time
● Use Opportunistic Locks○ Locking files for access
○ Used for caching
■ Make sure no other entity access outdated data
97
Oplocks
98
C:\LogsGdl.log
Oplock
File, Event
Gdl.exe(Standard User)
Oplocks
99
C:\LogsGdl.log
OplockGdl.exe(Standard User)
MySrv.exe(LocalSystem)
CreateFile*Blocked
Oplocks
100
C:\LogsGdl.log
OplockGdl.exe(Standard User)
MySrv.exe(LocalSystem)
CreateFile*Blocked
Oplock event is set!
Oplocks
101
C:\LogsGdl.log
CloseHandleGdl.exe(Standard User)
MySrv.exe(LocalSystem)
CreateFile*Blocked
Oplocks
102
C:\LogsGdl.logGdl.exe
(Standard User)MySrv.exe
(LocalSystem)
CreateFilereturns
Oplocks● Great feature for exploiting filesystem race conditions
○ Blocks CreateFile
○ Notifies CreateFile occured by signaling an event
103
C:\LogsGdl.log
OplockGdl.exe(Standard User)
MySrv.exe(LocalSystem)
CreateFile*Blocked
Oplock event is set!
CVE-2019-1037 Exploit (w/ Oplock)
104
Exploit.exe(Standard User)
C:\MyDirA.txtGdl.dll
Set Oplock on ‘C:\MyDir\A.txt’
CVE-2019-1037 Exploit (w/ Oplock)
105
Exploit.exe(Standard User)
C:\MyDirA.txtGdl.dll
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir
Wer!UtilPruneFolderOfOldFiles
DeleteFile(“WerTempDir\A.txt”)
Junction
CVE-2019-1037 Exploit (w/ Oplock)
106
Exploit.exe(Standard User)
C:\MyDirA.txtGdl.dll
Oplock event is set!Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir Junction
Wer!UtilPruneFolderOfOldFiles
DeleteFile(“WerTempDir\A.txt”)
Suspended
CVE-2019-1037 Exploit (w/ Oplock)
107
Exploit.exe(Standard User)
C:\MyDirA.txtGdl.dll
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirA.txtGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir
Wer!UtilPruneFolderOfOldFiles
DeleteFile(“WerTempDir\A.txt”)
Switch Junction
Switch the junctions while WerMgr.exe is waiting
Suspended
Junction
CVE-2019-1037 Exploit (w/ Oplock)
108
Exploit.exe(Standard User)
C:\MyDirA.txtGdl.dll
Exploit.exe(Standard User)
C:\Program Files\MyAppApp.exeGdl.dll...
C:\MyDirGdl.dll
WerMgr.exe(LocalSystem)
WerTempDir
Wer!UtilPruneFolderOfOldFiles
DeleteFile(“WerTempDir\Gdl.dll”)Junction
Close the handle to ‘A.txt’ and release WerMgr.exe
Resumed
Conclusion● WER is a great place to look for privesc bugs
● When researching this bug class ProcMon is your friend :)
● I discovered more vulnerabilities in WER○ More info will be published in PaloAltoNetworks Unit42 blog, stay tuned!
● Thanks James Forshaw
109
@galdeleon