lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e947885d-a902-931e-c48e-0fe583b94d27@securify.nl>
Date: Wed, 8 Jul 2020 11:33:36 +0200
From: "Securify B.V. via Fulldisclosure" <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Microsoft OneDrive client for Windows Qt QML module hijack

------------------------------------------------------------------------
Microsoft OneDrive client for Windows Qt QML module hijack
------------------------------------------------------------------------
Yorick Koster, July 2020

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A file hijacking vulnerability was found in the Microsoft OneDrive
client. This vulnerability allows a local attacker to plant a DLL file
on the local machine. This DLL will then be loaded whenever (another)
user launches OneDrive, running with the privileges of the victim.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was successfully verified on Microsoft OneDrive version
19.232.1124.0010.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This vulnerability was resolved in Microsoft OneDrive version
20.073.0409.0003 [2].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
OneDrive is Microsoft's cloud storage service, which can be used to
store files including documents, photos, music, videos, et cetera. Files
stored in OneDrive can be accesses from other devices and shared with
others. 

A file hijacking vulnerability was found in the Microsoft OneDrive
client for Windows. This vulnerability allows a local attacker to plant
a DLL file on the local machine. This DLL will then be loaded whenever
(another) user launches OneDrive, running with the privileges of the
victim.

This issue was independently discovered [3] by Elias Dimopoulos [4] from
REDYOPS Labs.

------------------------------------------------------------------------
Vulnerability details
------------------------------------------------------------------------
When OneDrive starts, it will search in the folder C:\Qt\Qt-5.11.1\ for
any QML module that needs to be loaded. When the module can't be found
under C:\Qt, the application's installation folder will be searched
(generally located under %LOCALAPPDATA%).

https://www.securify.nl/advisory/SFY20200708/onedrivehijack.png

Normally, the C:\Qt folder is not present on Windows systems. Any
authenticated user is permitted to create this folder in the system root
and consequently, a logged on attacker can also create the searched
folder structure. The attacker can then create any of the following
folders and copy a malicious DLL in these folders:

 - Colors
 - Colors.1
 - Colors.1.0
 - ColorThemeManager
 - ColorThemeManager.1
 - ColorThemeManager.1.0
 - QtQuick\Controls\impl
 - QtQuick\Controls\impl.2
 - QtQuick\Controls\impl.2.4
 - QtQuick\Controls\Styles.1.4
 - QtQuick\Controls\Styles.1
 - QtQuick\Controls.1\Styles
 - QtQuick\Controls.1.4\Styles
 - QtQuick\Controls.2\impl
 - QtQuick\Controls.2.0
 - QtQuick\Controls.2.2
 - QtQuick\Controls.2.4
 - QtQuick\Controls.2.4\impl
 - QtQuick\Templates.2.4
 - QtQuick\Window.2.2
 - QtQuick\Window.2.3
 - QtQuick.1\Controls\Styles
 - QtQuick.1.4\Controls\Styles
 - QtQuick.2\Controls\impl
 - QtQuick.2.0
 - QtQuick.2.0\Controls
 - QtQuick.2.11
 - QtQuick.2.2\Controls
 - QtQuick.2.2\Window
 - QtQuick.2.3\Window
 - QtQuick.2.4\Controls
 - QtQuick.2.4\Controls\impl
 - QtQuick.2.4\Templates
 - QtQuick.2.7

Now whenever OneDrive is launched, it will find the attacker's DLL, load
it, and run any code that is present in this DLL. The attacker's code
will run with the privileges of the user that launched OneDrive.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following Powershell script can be used to demonstrate this issue.
When successful, the proof of concept will start Calculator.

https://gist.github.com/ykoster/9ce4232fee389de1195a624680419d7e

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200708/microsoft-onedrive-client-for-windows-qt-qml-module-hijack.html
[2] https://oneclient.sfx.ms/Win/MsitSlow/20.073.0409.0003/OneDriveSetup.exe
[3] https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/
[4] https://twitter.com/gweeperx


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ