Platform: Windows 7 32/64 bit, Windows 8+ not vulnerable
Class: Security Bypass

The system call NtPowerInformation performs a check that the caller is an administrator before performing some specific power functions. The check is done in the PopUserIsAdmin function. The rough implementation is:

BOOLEAN PopUserIsAdmin() {
  SECURITY_SUBJECT_CONTEXT ctx;

  SeCaptureSecurityContext(&ctx);

  return SeTokenIsAdmin(SeQuerySubjectContextToken(&ctx));
}

On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn't take into account the impersonation level of the token and the rest of the code also doesn't take it into account. Therefore you can impersonate an administrator's token as a normal user (through linked token or kidnapping a system token) and call the protected functions. On Windows 8+ the SeTokenIsAdmin method has been changed to check for the impersonation level so it's not vulnerable.

It isn't clear if this has a serious security impact or not, therefore it's being disclosed as is. Some functions are also checked by a privilege check, however the subject context is captured separately so there exists a TOCTOU window between checks which could be exploited. For PoC purposes I've chosen to use function 45 "PopRequestPowerListInfo" (which doesn't require any special tricks. Also this function has a theoretical integer overflow vulnerability depending on how much you can push the size of PopPowerRequestObjectCount. 

Attached is a simple PoC which demonstrates the issue for execution on Windows 7. To reproduce follow the steps.

1) Ensure running as a split token administrator, this is because the PoC uses the linked token to get an administrator token. For a normal user you could just capture a token from a service.
2) Execute the PoC, it should do calls, one without impersonation and one with.

Expected Result:
Both calls should return STATUS_ACCESS_DENIED (0xC0000022)

Observed Result:
First check fails with STATUS_ACCESS_DENIED while second succeeds with STATUS_SUCCESS.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

Poc_NtPowerInformation_AdminBypass.cpp 1.0 KB Download

Poc_NtPowerInformation_AdminBypass.exe 13.5 KB Download