|
|
Windows: DosDevices Impersonation Elevation of Privilege | ||||||
| Project Member Reported by forshaw@google.com, Jan 28 2015 | Back to list | ||||||
Windows: DosDevices Impersonation Elevation of Privilege Platform: Windows 8.1 Update, Windows 7 Class: Elevation of Privilege Summary: When an application impersonates another user all file accesses are performed using the current DOS device map under that token. This allows a user to force a system service to load DLLs or start processes at higher privileges leading to EoP. Description: Each login session has a DosDevices mapping under \Sessions\0\DosDevices\X-Y where X-Y is the login session ID. This object directory is writeable by the user. When a \??\ path is looked up the kernel first checks the per-login session mapping for a symlink to the drive mapping, if not found it will fallback to looking up in \GLOBAL??. This mapping is also done when impersonating another user, which is typical of system services when performing actions on behalf of another user. The vulnerability occurs because a user can place symlinks for the system drives in the per-login session device map and the kernel will follow them during impersonation. If for example a system service when impersonating calls LoadLibrary for a system DLL it's possible for the file open to be redirected to an arbitrary location. So for example if the service tries to load c:\windows\system32\some.dll a user can create a dos device mapping for c: to somewhere else and get a DLL loaded into a system service. I've fully tested this on Windows 8.1 update 32 bit, but basic testing on Windows 7 x64 indicates the vulnerability is also on that platform. It isn't a bug in the implementation of the services, but a kernel issue. Proof of Concept: I’ve provided a PoC which causes the uses the spooler service to load an arbitrary DLL. As the spooler service runs as local system this is a complete EoP. I've only chosen the spooler service because it was a convenient one to do so and I knew it does a lot of work while impersonating the user. The PoC is only designed for 32 bit Windows 8.1 update. It might work on x64 version, but it doesn't by default on Windows 7 possibility due to differences in the printer driver I'm relying on for execution. 1) Extract the PoC to a location on a local harddisk which is writable by a normal user 2) Execute the Poc_DosDeviceSymlink_EoP.exe file 3) The calculator should be running as a child process of spoolsv.exe with system privileges. Expected Result: It shouldn’t be possible to elevate privileges Observed Result: Calculator running at system privileges This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Project Member
Comment 1
by
forshaw@google.com,
Jan 28 2015
,
Feb 3 2015
,
Feb 4 2015
Confirmed Win10 TP build 9926 is also vulnerable
,
Apr 14 2015
,
Apr 14 2015
,
Apr 16 2015
,
Apr 21 2015
,
May 2 2015
Poc_DosDeviceSymlink_EoP.7z has pass?
,
May 14 2015
tried this on Windows 7 Enterprise x86 ...running IE 9 and backed out all hotfixes 3045685 and later but no joy... PS C:\Users\cat-u\Desktop\Poc_DosDeviceSymlink_EoP> .\Poc_DosDeviceSymlink_EoP.exe DosDevices: \Sessions\0\DosDevices\00000000-000770D0\C: Current Path: \Device\HarddiskVolume1\Users\cat-u\Desktop\Poc_DosDeviceSymlink_EoP Executable Dir: C:\Users\cat-u\Desktop\Poc_DosDeviceSymlink_EoP Opened Opened Link \Sessions\0\DosDevices\00000000-000770D0\C: -> \Device\HarddiskVolume1\Users\cat-u\Desktop\Poc_DosDeviceSyml ink_EoP: 000000C0 Started PS C:\Users\cat-u\Desktop\Poc_DosDeviceSymlink_EoP>
,
May 14 2015
this was in a vmware vm.
,
Jul 28 2015
The PoC with source (Poc_DosDeviceSymlink_EoP.7z) is password protected. Can you supply the password, please? Thanks! |
|||||||
| ► Sign in to add a comment | |||||||
