916 - Windows: VHDMP Arbitrary Physical Disk Cloning EoP - project-zero

Starred by 1 user

Status:	Fixed
Owner:	forshaw@google.com
Closed:	Nov 2016
Cc:	project-...@google.com
Finder-forshaw Severity-Medium Deadline-90 Product-Windows CCProjectZeroMembers Vendor-Microsoft Reported-2016-Aug-25 MSRC-34806 CVE-2016-7224

Windows: VHDMP Arbitrary Physical Disk Cloning EoP

Project Member Reported by forshaw@google.com, Aug 25 2016

Back to list

Windows: VHDMP Arbitrary Physical Disk Cloning EoP
Platform: Windows 10 10586. No idea about 14393, 7 or 8.1 versions.
Class: Elevation of Privilege

Summary:
The VHDMP driver doesn’t open physical disk drives securely when creating a new VHD leading to information disclosure and EoP by allowing a user to access data they’re shouldn’t have access to.

Description:

The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. When creating a new VHD it’s possible to specify a physical drive to clone from, you’d assume that this feature would be limited to only administrators as accessing a physical disk for read access is limited to administrators group and system. However when calling VhdmpiTryOpenPhysicalDisk the driver uses ZwOpenFile and doesn’t specify the OBJ_FORCE_ACCESS_CHECK flag. As no other administrator checks are done this means that a normal user can clone the physical disk to another file which they can read, to bypass DACL checks on NTFS and extract data such as the SAM hive.

Proof of Concept:

I’ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. It will create a new VHDX from a specified physical drive. Note as this is a physical clone it’ll presumably not bypass Bitlocker, but that’s not likely to be a major issue in a lot of cases.

1) Compile the C# source code file.
2) Execute the poc on Win 10 passing the path to the vhd file to create and the physical drive index of the drive to clone. If you run without arguments it’ll print which drives are available. You probably want to clone one drive to another otherwise you’d likely run out of space (and of course have enough space). It also should work to copy the vhd out to a network share.
3) It should print that it created the clone of the drive. If you now mount that VHD somewhere else it should contain the original file systems of the original disk.

Expected Result:
The VHD creation fails with access denied.

Observed Result:
The physical disk is cloned successfully.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Program.cs
7.7 KB View Download

Project Member Comment 1 by forshaw@google.com, Aug 25 2016

Labels: MSRC-34806

Project Member Comment 2 by forshaw@google.com, Nov 14 2016

Status: Fixed

Fixed in https://technet.microsoft.com/library/security/MS16-138

Project Member Comment 3 by forshaw@google.com, Nov 15 2016

Labels: -Restrict-View-Commit CVE-2016-7224

► Sign in to add a comment