914 - Windows: VHDMP Arbitrary File Creation EoP - project-zero

Starred by 1 user

Status:	Fixed
Owner:	forshaw@google.com
Closed:	Nov 2016
Cc:	project-...@google.com
Finder-forshaw Severity-Medium Deadline-90 Product-Windows CCProjectZeroMembers Vendor-Microsoft Reported-2016-Aug-24 MSRC-34803 CVE-2016-7226

Windows: VHDMP Arbitrary File Creation EoP

Project Member Reported by forshaw@google.com, Aug 24 2016

Back to list

Windows: VHDMP Arbitrary File Creation EoP
Platform: Windows 10 10586 and 14393. Unlikely to work on 7 or 8.1 as I think it’s new functionality
Class: Elevation of Privilege

Summary:
The VHDMP driver doesn’t safely create files related to Resilient Change Tracking leading to arbitrary file overwrites under user control leading to EoP.

Description:

The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. In Windows 10 support was introduced for Resilient Change Tracking which adds a few new files ending with .rct and .mrt next to the root vhd. When you enable RCT on an existing VHD it creates the files if they’re not already present. Unfortunately it does it using ZwCreateFile (in VhdmpiCreateFileWithSameSecurity) and doesn’t specify the OBJ_FORCE_ACCESS_CHECK flag. As the location is entirely controlled by the user we can exploit this to get an arbitrary file create/overwrite, and the code as its name suggests will copy across the DACL from the parent VHD meaning we’ll always be able to access it.

Note this doesn’t need admin rights as we never mount the VHD, just set RCT. However you can’t use it in a sandbox as opening the drive goes through multiple access checks.

Proof of Concept:

I’ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. Note you must compile as Any CPU or at least the correct bitness for the system under test other setting the dos devices directory has a habit of failing. It will create abc.txt and xyz.txt inside the Windows directory which we normally can’t write to.

1) Compile the C# source code file.
2) Execute the poc passing the path
3) It should print that it successfully created a file

Expected Result:
Setting RCT fails.

Observed Result:
The user has created the files \Windows\abc.txt and \Windows\xyz.txt with a valid DACL for the user to modify the files.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Program.cs
27.1 KB View Download

Project Member Comment 1 by forshaw@google.com, Aug 25 2016

Labels: MSRC-34803

Project Member Comment 2 by forshaw@google.com, Nov 14 2016

Status: Fixed

Fixed in https://technet.microsoft.com/library/security/MS16-138

Project Member Comment 3 by forshaw@google.com, Nov 15 2016

Labels: -Restrict-View-Commit CVE-2016-7226

► Sign in to add a comment