lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPWzz4z3do7jLAYXMe+WgxLfoZrPEguJ3b2drObgEz=EioR-JQ@mail.gmail.com>
Date: Sat, 17 Apr 2021 18:28:31 +0200
From: Imre Rad <radimre83@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2021-28321-CVE-2021-28323: elevation of privileges in
	Microsoft Diaghub

The Microsoft (R) Diagnostics Hub Standard Collector Service is a
default component of Microsoft Windows operating system. This report
is about a flaw in the Diagnostics Hub Standard Collector Service DCOM
class that is available to all users of the OS (includes NT
AUTHORITY\Authenticated Users).
The service was vulnerable to directory traversal which could lead
data tampering and dropping files to arbitrary directories with
overall impact of elevation of privileges.

The service supports starting diagnostics sessions for what the caller
can specify a "scratch directory". File operations are carried out
without impersonating the caller, but using a custom security measure
instead (Microsoft::DiagnosticsHub::StandardCollector::SecuredDirectory::SecuredDirectory)
to ensure the caller is not able to interfere with the files until a
session is destroyed.

The directory path provided by the client is opened with CreateFileW
and then validated in the ValidateSamePath functions, which relies on
the GetFinalPathNameByHandleW WinAPI that returns with the final path
of the opened file without any junctions or redirections in the name.
This final resolved path is then compared to the user supplied string.
In case of a mismatch, the operation is aborted. The string comparison
is done using the wcsnicmp function, which is case-insensitive.

Though the operating system features a case-insensitive layer by
default, the NTFS file system is case-sensitive. See James Foreshaw's
excellent analysis here:

https://www.tiraniddo.dev/2019/02/ntfs-case-sensitivity-on-windows.html

If Windows Subsystem for Linux is installed (or Docker Desktop), or
due to any other reasons the per directory case-insensitivity feature
is enabled, the construct described above could be circumvented. Think
about a directory layout like this:

C:\Projects\windows-dcom-hacks\work\DiagHub\1\wsldir>dir
2020. 11. 22.  21:19    <DIR>          ETW
2020. 11. 22.  21:18    <JUNCTION>     Etw
[C:\Projects\windows-dcom-hacks\work\DiagHub\1\wsldir\ETW]
2020. 11. 22.  21:17    <DIR>          etw

An attacker could supply the path to the Etw junction to Diaghub as
scratch directory, then it would be possible to switch between
directories during the Diaghub operations.

CVE-2021-28321: deleting arbitrary files
CVE-2021-28322: dropping files outside the scratch directory (no
control over the content)
CVE-2021-28313: taking over file permissions of existing files

Combining the latter two it was possible to execute arbitrary code as
NT_AUTHORITY\SYSTEM.

Microsoft has released the patch to these vulnerabilities in 2021 April.

More details and PoC code can be found here:

https://github.com/irsl/microsoft-diaghub-case-sensitivity-eop-cve


Turning a file dropping primitive to privilege escalation tends to be
more complicated since TrustedInstaller owns most of the files of the
operating system. There were some known ways to accomplish this (one
of them based on DiagHub), but Microsoft has patched them since.
The Github repo above also features a new trick that abuses the
Printer Extensions and Notifications service and could be used for the
same goal.


Imre

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ