New issue
Advanced search Search tips
Issue 271
Starred by 2 users
Status: Fixed
Owner:
forshaw@google.com
Closed: Jun 2015
Cc:
project-...@google.com



Sign in to add a comment
 iPrint Client: nipplpt.sys NULL DACL Applied When Creating Spool Directories and Files
Project Member Reported by forshaw@google.com, Feb 27 2015 Back to list 
iPrint Client: nipplpt.sys NULL DACL Applied When Creating Spool Directories and Files
Platform: iPrint Client 5.99, tested on Windows 8.1 Update 32
Class: Elevation of Privilege

Summary:
The nipplpt.sys driver installed as part of iPrint Client on Windows creates spool files and directories with a NULL DACL leading to the potential for elevation of privilege for any user on the system. 

Description:

Whenever the nipplpt driver creates a spool file or directory it passes an explicit security descriptor with a NULL DACL. This means that any user on the system is able to open and modify these directories and files without any security check. This can lead to an elevation of privilege as it’s possible to modify the spool directory into a mount point which acts as a symbolic link. Through this it’s possible to get the nipplpt driver to create an arbitrary file anywhere on the file system, this could be used to add WMI MOF configurations or plant DLLs which would allow a normal user to elevate to a local system administrator. 

We can write arbitrary content to the file by just writing to the opened device. However because of the NULL DACL even if we couldn’t it would be possible to open the newly created file afterwards and modify it all will. In terms of corrective action either the spool directory should be sufficient locked down (including the initial installation directory as that also has a permissive DACL inherited from the root directory) or log files should be opened taking into account the caller’s permission. That is made more complicated because the files are created in a system thread so passing OBJ_FORCE_ACCESS_CHECK to ZwCreateFile will not be sufficient. 

Proof of Concept:

I’ve provided a PoC as source code, it will need to be compiled with something like Visual Studio. It demonstrates writing an arbitrary file to the windows directory. This has only been tested on 32 bit Windows platforms, it should be run as a normal privileged user and not as an administrator. 

Expected Result:
It shouldn’t be possible to modify the spool directories as a normal user.

Observed Result:
The spool directory is modified allowing the file c:\windows\hello.txt with arbitrary content to be written from a normal user’s permission.  

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
NovellDriverTest_Symlink.zip
10.5 KB Download
Project Member Comment 1 by forshaw@google.com, Mar 2 2015
Labels: -Reported-2015-02-27 Reported-2015-Feb-27
Received confirmation that security@novell.com had received the reports
Project Member Comment 2 by forshaw@google.com, May 28 2015 
Correspondence Date: 22 May 2015

> Asked Novell for an update on this vulnerability as it's about to exceed the deadline
Project Member Comment 3 by forshaw@google.com, May 28 2015
Labels: -Restrict-View-Commit Deadline-Exceeded
Deadline exceeded -- automatically derestricting
Project Member Comment 4 by forshaw@google.com, Jun 4 2015
Status: Fixed
Issue has been resolved, according to vendor, by removing the vulnerable driver from version 6.0.0 onward. This was not documented in the release notes at https://www.novell.com/support/kb/doc.php?id=7008708
Project Member Comment 5 by forshaw@google.com, Jul 9 2015
Labels: -Deadline-Exceeded
Removed deadline exceeded as technically the bugs were fixed prior to the deadline. Although auto update is not enabled and there was no corresponding advisory warning customers to upgrade.
Sign in to add a comment