lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Jul 2020 11:33:36 +0200 From: "Securify B.V. via Fulldisclosure" <fulldisclosure@...lists.org> To: fulldisclosure@...lists.org Subject: [FD] Microsoft OneDrive client for Windows Qt QML module hijack ------------------------------------------------------------------------ Microsoft OneDrive client for Windows Qt QML module hijack ------------------------------------------------------------------------ Yorick Koster, July 2020 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A file hijacking vulnerability was found in the Microsoft OneDrive client. This vulnerability allows a local attacker to plant a DLL file on the local machine. This DLL will then be loaded whenever (another) user launches OneDrive, running with the privileges of the victim. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was successfully verified on Microsoft OneDrive version 19.232.1124.0010. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This vulnerability was resolved in Microsoft OneDrive version 20.073.0409.0003 [2]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ OneDrive is Microsoft's cloud storage service, which can be used to store files including documents, photos, music, videos, et cetera. Files stored in OneDrive can be accesses from other devices and shared with others. A file hijacking vulnerability was found in the Microsoft OneDrive client for Windows. This vulnerability allows a local attacker to plant a DLL file on the local machine. This DLL will then be loaded whenever (another) user launches OneDrive, running with the privileges of the victim. This issue was independently discovered [3] by Elias Dimopoulos [4] from REDYOPS Labs. ------------------------------------------------------------------------ Vulnerability details ------------------------------------------------------------------------ When OneDrive starts, it will search in the folder C:\Qt\Qt-5.11.1\ for any QML module that needs to be loaded. When the module can't be found under C:\Qt, the application's installation folder will be searched (generally located under %LOCALAPPDATA%). https://www.securify.nl/advisory/SFY20200708/onedrivehijack.png Normally, the C:\Qt folder is not present on Windows systems. Any authenticated user is permitted to create this folder in the system root and consequently, a logged on attacker can also create the searched folder structure. The attacker can then create any of the following folders and copy a malicious DLL in these folders: - Colors - Colors.1 - Colors.1.0 - ColorThemeManager - ColorThemeManager.1 - ColorThemeManager.1.0 - QtQuick\Controls\impl - QtQuick\Controls\impl.2 - QtQuick\Controls\impl.2.4 - QtQuick\Controls\Styles.1.4 - QtQuick\Controls\Styles.1 - QtQuick\Controls.1\Styles - QtQuick\Controls.1.4\Styles - QtQuick\Controls.2\impl - QtQuick\Controls.2.0 - QtQuick\Controls.2.2 - QtQuick\Controls.2.4 - QtQuick\Controls.2.4\impl - QtQuick\Templates.2.4 - QtQuick\Window.2.2 - QtQuick\Window.2.3 - QtQuick.1\Controls\Styles - QtQuick.1.4\Controls\Styles - QtQuick.2\Controls\impl - QtQuick.2.0 - QtQuick.2.0\Controls - QtQuick.2.11 - QtQuick.2.2\Controls - QtQuick.2.2\Window - QtQuick.2.3\Window - QtQuick.2.4\Controls - QtQuick.2.4\Controls\impl - QtQuick.2.4\Templates - QtQuick.2.7 Now whenever OneDrive is launched, it will find the attacker's DLL, load it, and run any code that is present in this DLL. The attacker's code will run with the privileges of the user that launched OneDrive. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ The following Powershell script can be used to demonstrate this issue. When successful, the proof of concept will start Calculator. https://gist.github.com/ykoster/9ce4232fee389de1195a624680419d7e ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://www.securify.nl/advisory/SFY20200708/microsoft-onedrive-client-for-windows-qt-qml-module-hijack.html [2] https://oneclient.sfx.ms/Win/MsitSlow/20.073.0409.0003/OneDriveSetup.exe [3] https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/ [4] https://twitter.com/gweeperx _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists