Title: Windows: Impersonation Check Bypass with MRXDAV
Platform: Windows 7, 8.1 Update 32/64 bit
Class: Security Bypass

The implementation of WebDAV consists of two parts, a user-mode service which implements the majority of the functionality and a kernel mode driver which acts to interface with the redirector driver. The driver and user-mode devices communicate using FS/Device control codes.

There's a bug in the way that the driver verifies that the caller has sufficient permissions to communicate with the driver. It performs effectively:

LUID luid;
SeCaptureSubjectContext(&ctx)
SeQueryAuthenticationId(SeQuerySubjectContextToken(&ctx), &luid);
if(luid == LocalSystemLUID)
{
   local_system = true;
}

The code makes no verification that the caller isn't impersonating local system at identification level. This allows a normal user to capture a system token and (from what I can tell) pretend to be the WebClient service, which might lead to a significant amount of unexpected behaviour such as implementing custom filesystem semantics.

Attached is a simple PoC which demonstrates the issue. It sends the control code 0x140394 to the webdav redirector driver. To reproduce follow the steps.

1) Ensure the WebClient service and MRXDAV.SYS drivers are running. This can be achieved through manual starting or navigating to a webdav share such as \\live.sysinternals.com\tools. 
2) Execute TestWebDAV.exe from the command line as a normal, non-admin user
3) The program should print, "Sent request, should have got access denied" if it succeeded. 

Expected result: 
The DeviceIoControl should fail with ERROR_ACCESS_DENIED

Observed result:
The DeviceIoControl succeeds 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

Poc_TestWebDav.zip 59.8 KB Download