exploiting errors in windows error reporting€¦ · wermgr dacl overwrite does wermgr.exe later...

Exploiting Errors in Windows Error ReportingGal De Leon (@galdeleon)BlueHatIL 2020

Who am I?● Gal De Leon

● Principal security researcher @ PaloAltoNetworks Anti-Exploit Team

● Interested in fuzzing, vulnerabilities, exploits and mitigations

● MSRC MVSR 10th place 2018 & 2019○ ~35 vulnerabilities

2

Agenda● What are privileged filesystem access bugs?

● Overview of Windows Error Reporting

● Vulnerabilities & exploits in WER

3

File Access

CreateFile(WRITE)Gdl.exe(Standard User)

C:\Windows\System32\Driverspci.sys

4

C:\Windows\System32\Drivers

File Access

5


C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sysc:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)

C:\Windows\System32\Cmd.exe

pci.sys

File Access

ACCESS_DENIED

6





File Access

7

CreateFile(WRITE)MySrv.exe(LocalSystem)




Privileged Filesystem Access Bugs

● Ask a privileged component (service, driver, etc) to access a file for us,

that we couldn’t access otherwise

8


Bug Example #1 - PleaseWriteFileForMe()

Gdl.exe(Standard User)

MySrv.exe(LocalSystem)

RPC: PleaseWriteFileForMe(“C:\Windows\System32\Drivers\pci.sys”, buffer);

*MySrv.exe doesn’t use impersonation (RPC)

RPC CreateFile(WRITE)

9

C:\LogsGdl.log

Bug Example #2 - WriteLogFile()



RPC: WriteLogFile(“Gdl.log”, buffer);



10

C:\LogsGdl.log







11

c:\Logs>icacls c:\Logsc:\Logs Everyone:(OI)(CI)(F)



C:\LogsGdl.log



NTFS Hardlink

CreateLink

12

C:\LogsGdl.log







13

NTFS Hardlink

Privileged Filesystem Access Bugs● General definition

○ A privileged component operates on a file (read, write, delete, set-dacl, ..)

○ As LocalSystem (+ no impersonation)

○ File path is controlled, or can be redirected using a link

● Could lead to privilege escalation○ Classic Example- Overwrite an executable file that later runs as LocalSystem

● Disclaimers - ○ Links creation requires running at MediumIL (cannot exploit sandboxes < MediumIL)

○ Windows Insider Preview (WIP) April 2019 - Hardlinks mitigation

14

Windows Error Reporting Overview

15


What Happens When a Process Crashes?

XOR RAX, RAXMOV [RAX], 1337h

16


Kernelbase!UnhandledExceptionHandler

Kernel32!WerpReportFault



17


Ntdll!SignalStartWerSvc

WNF(WNF_WER_SERVICE_START)

Kernelbase!UnhandledExceptionHandler

Kernel32!WerpReportFault



svchost.exe(WerSvc)

...

18


ALPCGdl.exe(Standard User)

svchost.exe(WerSvc)

19


Faultrep!WerpCreateCrashVerticalProcess

WerSvc!CWerService::SvcReportCrash

Kernel32!CreateProcessAsUser


svchost.exe(WerSvc)

20

Faultrep!WerpCreateCrashVerticalProcess

WerSvc!CWerService::SvcReportCrash

Kernel32!CreateProcessAsUser



svchost.exe(WerSvc)

WerFault.exe(Standard User)

21

Parent: Gdl.exeChild: WerFault.exe



Collect data, exception info, memory dump, ..

22





Create Directory

C:\ProgramData\Microsoft\Windows\WER

ReportArchive\

ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\

Temp\

23





ReportArchive\

ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer ... Temp\

Version=1EventType=WindowsFailureEventType=13133355343ReportType=1..

Create Report File

24


Microsoft CloudGdl.exe(Standard User)



ReportArchive\

ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer ... Temp\

Upload Report Data

25

C:\ProgramData\Microsoft\Windows\WER\

ReportArchive\AppCrash_Gdl.exe_A_B_C_D\

Report.wer ... ReportQueue\

Temp\




Move Report Directory

26


ReportArchive\AppCrash_Gdl.exe_A_B_C_D\

Report.wer ... ReportQueue\

Temp\

C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer

No Internet Connection?● WerFault.exe keeps report directory under ‘ReportQueue’

● At a later time, ‘Windows Error Reporting\QueueReporting’ scheduled task

will report it using ‘WerMgr.exe -upload’

Microsoft Cloud

Wermgr.exe(LocalSystem)

27

Why is WER Prone to Privileged Filesystem Access Bugs?● Many of WER components run as LocalSystem

○ WerSvc.dll, WerMgr.exe, WerFault.exe(?)

● They allow any user to interact with them ○ WerSvc ALPC port -> writable for everyone

○ QueueReporting scheduled task -> can be executed on demand by everyone

○ C:\ProgramData\Microsoft\Windows\WER\.. -> writable for everyone

● LocalSystem components operate on the files under WER directories○ Can be abused using filesytem links

28

Vulnerabilities & Exploits in WER

Vuln #1: WerSvc!CollectMemoryInfo File Overwrite● Warm up bug :)

● CVE-2019-1342

● Can be reached through WerSvc ALPC port

● Impact: overwrite arbitrary files as LocalSystem, content is partially

controlled

30

ALPC

ALPC:MessageIDArgs

Exploit.exe(Standard User)

svchost.exe(WerSvc)

31

ALPC

ALPC:0xF0030002


svchost.exe(WerSvc)

32

WerSvc!CollectMemoryInfo

CWerService::DispatchPortRequestWorkItem

ALPCExploit.exe(Standard User)

svchost.exe(WerSvc)

33




svchost.exe(WerSvc)

WerSvc!UtilGetTempFile(OUT &FilePath)

CreateFile

CloseHandle

34

WerTempDirWER120.tmp.txt




svchost.exe(WerSvc)

WerSvc!UtilCollectSystemInfo(FilePath)

CreateFile

WriteFile

35


Vulnerable Pattern ...● CreateFile

● CloseFile

● CreateFile

● WriteFile

36

Vulnerable Pattern ...● CreateFile

● CloseFile

● CreateFile

● WriteFile

Create Link

37

ReadDirectoryChanges


WerTempDir

38




svchost.exe(WerSvc)

WerTempDir

ALPC

39





svchost.exe(WerSvc)


WerTempDirCreateFile

WER280.tmp.txt

ALPC

40






svchost.exe(WerSvc)


CreateFile

ReadDirectoryChangesNew File is Created!Filename is ‘WER280.tmp.txt”

ALPC

41

WerTempDir

Create Link(Loop)




svchost.exe(WerSvc)


NTFS Hardlink

CreateFile

CloseHandle

ALPC

42


pci.sys

WER280.tmp.txt


pci.sys




svchost.exe(WerSvc)

WerSvc!UtilCollectSystemInfo(FilePath)

WerTempDirCreateFile

WriteFile

ALPC

43

WER280.tmp.txtNTFS

Hardlink


pci.sys

WerSvc!CollectMemoryInfo File Overwrite● Spot vulnerability pattern with Sysinternals ProcMon

○ CreateFile twice

● I didn’t exploit this to full privesc exploit○ Requires larger degree of control overwrite content

○ Still enough for MSRC to assign a CVE

44

Vuln #2: WerMgr!PreparePathForDeletion DACL Overwrite

45

Run ‘QueueReporting’ Schedule Task(Can be done from Standard User, MediumIL)

WerMgr.exe(LocalSystem)

46


WerMgr!DoCoreUpload

Wer!WerpSubmitReportFromStore


Enumerate pending reports

47



WerMgr!DoCoreUpload

Wer!WerpSubmitReportFromStoreRead, parse

48



WerMgr!DoCoreUpload

Wer!WerpSubmitReportFromStoreRead, parse

Version=MALFORMED13371337EventType=WindowsFailureReportType=1345234234234======33432234===234 MALFORMED-REPORT

49



WerMgr!DoCoreUpload


WerMgr!UtilRecursiveRemoveDirectory

50



WerMgr!DoCoreUpload


WerMgr!UtilRecursiveRemoveDirectory WerMgr!PreparePathForDeletion(FilePath)

51

For each file ..

Int64 PreparePathForDeletion(WCHAR* FilePath) {

} 52

Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD);

} 53

Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); // Add Delete Permissions … SetEntriesInAcl(...); // DACL = Orig + Delete for System ... SetSecurityDesciptorDacl(SD, …);

}54

Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); // Add Delete Permissions … SetEntriesInAcl(...); ... SetSecurityDesciptorDacl(SD, …);

// Apply the modified DACL SetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); …}

55

Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD);

SetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); …} 56



57



Run ‘QueueReporting’ Scheduled Task


58





Read corrupted report

59




GetFileSecurity(“.. AppCrash_Gdl.exe_A_B_C_D\Report.wer”, &Dacl);

60





Create Link

NTFS Hardlink

61




WerMgr.exe(LocalSystem) NewDacl = Everyone + LocalSystem Delete

62


NTFS Hardlink




63

SetFileSecurity(“...Report.wer”, NewDacl);


NTFS Hardlink


CreateFile(W), WriteFile, ..

64


WerMgr DACL Overwrite ● Does WerMgr.exe later delete ‘pci.sys’?

○ No - WerMgr.exe checks if it is a link before deleting the file

○ No - Hardlinks don’t work that way (more about that later)

● Is it hard to win the race condition?○ Yes!

○ But .. You can try for many times until it works (few seconds up to ~5 minutes)

● To get privesc, what file should we target?○ DLL that later gets loaded by a System process

○ Technique by James Forshaw of GPZ

■ https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html

65

https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html

Vuln #3: Wer!WerpCleanWer Arbitrary File Deletion● CVE-2019-1037

● wer.dll (common utils used by all WER components)

● Impact: delete any file you want as LocalSystem

66

How to Exploit File Deletion Bugs?

67


C:\Program Files\MyAppGdl.dll

C:\LogsGdl.log

Create Link

● File deletion bugs cannot be exploited using NTFS hardlinks

NTFS Hardlink

C:\Logs C:\Program Files\MyApp


68

Gdl.dllGdl.log

MySrv.exe:DeleteFile(“C:\Logs\Gdl.log”)

NTFS Hardlink


DeleteFileMySrv.exe(LocalSystem)


69


C:\Logs





70


C:\Logs


● Hardlinks are like “giving one file multiple names”○ If you delete “one name”, you don’t delete the others

● Use other links primitive to exploit deletion bugs - directory junctions



Junctions● “Symlinks“ between directories

71



C:\Logs

Gdl.exe:Create Junction “C:\Logs” => “C:\Program Files\MyApp”

Create Junction Junction

● DeleteFile(‘C:\Logs\Gdl.dll’) => ‘C:\Program Files\MyApp\Gdl.dll’

Junctions

72


C:\Logs

MySrv.exe:DeleteFile(“C:\Logs\Gdl.dll”)


Junction

● DeleteFile(‘C:\Logs\Gdl.dll’) => ‘C:\Program Files\MyApp\Gdl.dll’

● Path rewrite at directory level○ ‘C:\Logs’ => ‘C:\Program Files\MyApp’

Junctions

73


C:\LogsDeleteFileMySrv.exe(LocalSystem)

MySrv.exe:DeleteFile(“C:\Logs\Gdl.dll”)

Junction

Junctions Creation Requirements● To create a junction, the source directory (C:\Logs) must be-

○ Writable

○ Empty

○ No open handles

74



C:\LogsCreate Junction Junction

CVE-2019-1037

Run ‘QueueReporting’ Scheduled Task(Can be done from Medium integrity)

75


CVE-2019-1037

WerMgr!WinMain

Wer!WerpCleanWer

76

Run ‘QueueReporting’ Scheduled Task(Can be done from Medium integrity)


CVE-2019-1037

77

WerMgr!WinMain

Wer!WerpCleanWer


Wer!WerpCleanWer deletes all old files in ‘C:\ProgramData\Microsoft\Windows\WER\Temp’ directory.

Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);

}

78

Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);

}

79

Int64 WerpCleanWer(void) {LPFILETIME CurrentTime = NULL;CString* TempDirPath;UtilGetPathOfWERTempDirectory(&TempDirectoryPath);GetSystemTimeAsFileTime(&CurrentTime);UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime);

}

80


}Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) {

WIN32_FIND_DATA FileData;EnumHandle = FindFirstFile(TempDirPath.., &FileData);do {

} while (FindNextFile(EnumHandle, &FileData);} 81




If ( .. Path is a file, and LastWriteTime is old enough .. ) {DeleteFile(..FileData.cFileName);

}} while (FindNextFile(EnumHandle, &FileData);

} 82




If ( .. Path is a file, and LastWriteTime is old enough .. ) {DeleteFile(..FileData.cFileName);

}} while (FindNextFile(EnumHandle, &FileData);

} 83

Exploiting CVE-2019-1037● Create a junction between WerTempDir => ‘C:\Program Files\MyApp’

● Run ‘QueueReporting’ scheduled task

● All the old files in ‘MyApp’ directory will be deleted!

84

WerMgr.exe(LocalSystem) WerTempDir C:\Program Files\MyApp

App.exeGdl.dll...

Junction

Wer!UtilPruneFolderOfOldFiles

CVE-2019-1037 - Can We Improve the Exploit?● What if want to delete only a single file?

● That is not old enough …?

● Open the possibility for DLL-hijacking attack○ LoadLibrary search order

85

C:\Program Files\MyAppApp.exeGdl.dll...

86



87



C:\MyDirA.txtGdl.dll

Create directory & files

88




Modify the files LastWriteTime using kernel32!SetFileTime

89





Run ‘QueueReporting’ Scheduled Task

90





Wer!UtilGetPathOfWERTempDirectory

WerTempDir

91



C:\MyDirA.txtGdl.dllCreate Junction


WerTempDir Junction

92





WerTempDir


FindFirstFile(WerTempDir)FindNextFile(Handle to C:\MyDir)

Junction

93





WerTempDir Junction


C:\MyDir\A.txt’s LastWriteTime is old enough!It will be deleted

DeleteFile(“WerTempDir\A.txt”)

94





WerTempDir

Switch Junction

Switch junction from WerTemp=>MyDir to WerTempDir => C:\Program Files\MyApp

WerTempDir is writable & empty~!No open handle to WerTempDir!

Junction

95



C:\MyDirGdl.dll



FindFirstFile/FindNextFile doesn’t reopen WerTempDir

‘C:\MyDir\Gdl.dll’ LastWriteTime is old enough!

FindNextFile => C:\MyDir\Gdl.dll(Handle to C:\MyDir)

96



C:\MyDirGdl.dll


WerTempDir

Junction


DeleteFile(“WerTempDir\Gdl.dll”)

Is There a Better Way to Win the Race?● Exploit works, but we need to switch the junction at the right time

● Use Opportunistic Locks○ Locking files for access

○ Used for caching

■ Make sure no other entity access outdated data

97

Oplocks

98

C:\LogsGdl.log

Oplock

File, Event


Oplocks

99

C:\LogsGdl.log

OplockGdl.exe(Standard User)


CreateFile*Blocked

Oplocks

100

C:\LogsGdl.log



CreateFile*Blocked

Oplock event is set!

Oplocks

101

C:\LogsGdl.log

CloseHandleGdl.exe(Standard User)


CreateFile*Blocked

Oplocks

102

C:\LogsGdl.logGdl.exe

(Standard User)MySrv.exe

(LocalSystem)

CreateFilereturns

Oplocks● Great feature for exploiting filesystem race conditions

○ Blocks CreateFile

○ Notifies CreateFile occured by signaling an event

103

C:\LogsGdl.log



CreateFile*Blocked

Oplock event is set!

CVE-2019-1037 Exploit (w/ Oplock)

104



Set Oplock on ‘C:\MyDir\A.txt’


105







WerTempDir



Junction


106



Oplock event is set!Exploit.exe(Standard User)




WerTempDir Junction



Suspended


107







WerTempDir



Switch Junction

Switch the junctions while WerMgr.exe is waiting

Suspended

Junction


108





C:\MyDirGdl.dll


WerTempDir


DeleteFile(“WerTempDir\Gdl.dll”)Junction

Close the handle to ‘A.txt’ and release WerMgr.exe

Resumed

Conclusion● WER is a great place to look for privesc bugs

● When researching this bug class ProcMon is your friend :)

● I discovered more vulnerabilities in WER○ More info will be published in PaloAltoNetworks Unit42 blog, stay tuned!

● Thanks James Forshaw

109

@galdeleon

exploiting errors in windows error reporting€¦ · wermgr dacl overwrite does wermgr.exe later...

Documents