Shulou(Shulou.com)06/01 Report--

This article is about how to deal with loopholes in CVE-2020-1362. The editor thinks it is very practical, so I hope you can get something after reading this article. Let's take a look at it with the editor.

Loophole background

The WalletService service is a service on windows that holds the objects used by the wallet client and exists only in windows 10.

CVE-2020-1362 is an out-of-bounds read and write that occurred by WalletService in the processing of CustomProperty objects. This vulnerability can cause an attacker to gain administrator privileges and the vulnerability is rated as high-risk.

Microsoft released a patch for the vulnerability in July 2020.

Environment building

1. Reproduction environment: windows 10 Professional Edition 1909 (build number 18363.815)

two。 Set the WalletService service startup type to automatic

3. Debugging environment: windbg-psn WalletService is fine.

Principle and Analysis of loopholes

The leak point is that the get and set methods that set the Group of the CustomProperty object do not check boundaries.

The a2 parameter of the 1.get method does not check the boundary so that some addresses on the heap can be disclosed.

The a2 parameter of the 2.set method has no check boundary and can override the virtual table pointer of the object to control the program flow.

Vulnerability exploitation process

Create a CustomProperty object

The WalletService service is provided by WalletService.dll, and WalletService.dll is actually a Com component in the form of a dynamic link library, loaded by svchost.exe. We can use functions such as CoCreateInstance () or CoGetClassObject () to create an object in our own program (hereinafter referred to as the client) and use the functionality provided by the service by calling the class methods of the obtained object.

How to create the object corresponding to the vulnerability function? The easiest way is to download msdn's symbol table and look at the function name.

We want to create a CustomProperty object, and an ida search shows that there are two functions that create the object: Wallet::WalletItem::CreateCustomProperty () and Wallet::WalletXItem::CreateCustomProperty ().

So we need a WalletXItem object or a WalletItem object to create a CustomProperty, so which one should we use? Continue to search for CreateWalletItem or CreateWalletXItem with ida, and you'll find only CreateWalletItem.

So here we need a WalletX object, continue to use ida search will find no CreateWalletX, but if you search WalletX, you will find a WalletXFactory::CreateInstance (), if you have experience in Com component development will know that this is a factory class to create interface class function, the above-mentioned CoCreateInstance () function will cause WalletService to call this function to create an interface class to return to the client.

So how do you call WalletXFactory::CreateInstance () and create a WalletX object? We need to use CoCreateInstance () on the client side.

HRESULT CoCreateInstance (REFCLSID rclsid, / / CLSID, used to find the factory class LPUNKNOWN pUnkOuter, / / set to NULL to DWORD dwClsContext, / / set to CLSCTX_LOCAL_SERVER, a macro REFIID riid, / / IID, provided to the engineering class, used to create the interface class instance LPVOID * ppv / / address of the interface class instance pointer)

1. First of all, we need the CLSID of WalletXFactory, which can be viewed using the tool OLEViewDotNet.

two。 Second, we need an IID of WalletX, which you can use ida to look directly at the function WalletXFactory::CreateInstance ().

With CLSID of WalletXFactory and IID of WalletX, and then calling CoCreateInstance () on the client side, WalletService will call CreateInstance () of the factory class WalletXFactory corresponding to CLSID, create the WalletX object corresponding to IID, and return the object to the client.

Then, as analyzed above, use WalletX::CreateWalletItem () to create a WalletItem object, and then use WalletItem::CreateCustomProperty () to create a CustomProperty object.

Students who have questions about the above steps can learn Com component development, especially out-of-process component development.

Falsify a virtual table and overwrite the pointer to the schedule

Because the loading base address of the same dynamic library is the same in different processes, we can know the address of all the functions in dll, so we can get the function address in the fake virtual table.

So where do you put the virtual watch? The direct thought is to put it on the heap.

But if we continue to analyze, we will find that there is a string object in the CustomProperty class, and we can use CustomProperty::SetLabel () to modify the string class, so we can write at any address by modifying the beg pointer and end pointer in the string class, and then calling CustomProperty::SetLabel ().

With any address to write, we chose to put the virtual table in the .data section of WalletService.dll to avoid crashing the program due to data that might be destroyed on the heap.

Control program flows to LoadLibrary function

By using the method of forging vtable and overwriting virtual table pointers, we can control the flow of WalletService programs to any address by calling virtual functions.

So how to raise the power? In the claim of windows services, the usual way is to control the program flow so that we can execute functions such as LoadLibrary () to load a dynamic link library written by ourselves, because DllMain () in dll will be executed when loading dll. This method is the most powerful and practical.

Here, the vulnerability submitter's method is used to overwrite an address of the virtual table with ATL::CComObject\:: `vector deleting destructor () in dxgi.dll, because the LoadLibraryExW () called by this function uses a global variable as the path of the dll you want to load.

We can write any address through SetLabel () above, modify the global variable Src in the above figure to point to the path of our own DLL, and then call the corresponding virtual table function to make the program flow execute to LoadLibrarExW ().

Implement a dynamic link library

Write in DllMain () that we want to execute the code with high privileges, and then call the program flow whose corresponding function in the virtual table is WalletService to run to LoadLibraryEx ().

Note that because the windows service runs in the background, techniques such as named pipes or socket need to be used for echo or interaction in DllMain (). Secondly, since LoadLibraryExW () is executed, the dll path here uses wide characters.

Other

The following two check need to be bypassed when controlling the flow of virtual table functions to LoadLibraryExW ().

The first is that you need to set the value of the address this+0x80 so that the following and operates as true.

The second is to adjust that qword_C5E88 and qword_C5E80 are the following variables v4 pointing to memory with write permissions.

Vulnerability exploitation result

You can get administrator privileges

Comparison before and after patch

As you can see, after the patch, both the get method and the set method add boundary detection to the a2 parameter.

This is how to deal with loopholes in CVE-2020-1362. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.