Shulou(Shulou.com)05/31 Report--

How to achieve privilege upgrade in Windows Service Tracing CVE-2020-0668 vulnerability analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

We will discuss an arbitrary file movement vulnerability in Windows Service Tracing. During our testing, this vulnerability will affect all versions of the operating system from Windows Vista to Windows 10, but Windows XP is also likely to be affected by this vulnerability because this feature is also available on XP systems.

Windows Service Tracing

Service Tracing has a long history on the Windows platform, and it was introduced in XP as early as possible. This feature provides analysts with basic debugging information about currently running services and modules, which can be configured by any local user by editing the registry key (HKLM\ SOFTWARE\ Microsoft\ Tracing).

In Windows, each service or module corresponds to a registry key, and each key contains six values, three of which are EnableFileTracing (enable / disable "tracing"), FileDirectory (set the address of the log output file), and MaxFileSize (set the maximum file size of the log file).

After EnableFileTracing is enabled, the target service will start to write its log file to the file path of our choice. when the log file exceeds the size of MaxFileSize, it will be moved (that is, the original .log suffix will be replaced with .OLD) and a new log file will be created in place.

Security researcher James Forshaw has released a symbolic link testing tool that is easy to exploit. We just need to set the target directory as the mount point, point to the\ RPC Control object directory, and then create the following two symbolic links:

1. Create a symbolic link from MODULE.LOG to one of our files (the file must be larger than MaxFileSize)

2. Create a symbolic link from MODULE.OLD to any file on the system, such as "C:\ Windows\ System32\ WindowsCoreDeviceInfo.dll".

Finally, we need the service running with the "NT AUTHORITY\ SYSTEM" permission as the target to trigger the file "move" operation, and then use the Update Session Orchestrator service to obtain arbitrary code execution permissions.

Tracing function of the service

As described at the beginning of the article, any local user can configure the Service Tracing feature by editing the registry key value (HKLM\ SOFTWARE\ Microsoft\ Tracing).

At this point, by using the AccessChk tool in the Windows Sysinternals toolset, we can see that the average user has read and write permissions for almost all the subkeys under the relevant registry key:

Next, we will take the RASTAPI module as an example to demonstrate vulnerability exploitation. The IKEEXT service uses this module, so we can trigger the event log behavior by initiating any VPN connection. The default setting of the relevant registry key value is shown in the following figure, and other services and modules also use exactly the same value:

From the perspective of a local attacker, the following values can be useful:

The parameter name value range describes the absolute path of EnableFileTracing0-1 to start / stop writing to the log file FileDirectoryA String directory MaxFileSize0x00000000-0xffffffff the maximum file size of the input log file

By setting these values, we can do this:

1. Modify the EnableFileTracing to 0 or 1 to force a specific service or module to start / stop writing debugging information to the log file.

2. Set the specific location of the log file through FileDirectory.

3. Set the maximum output file size through MaxFileSize.

It is important to note that we cannot select the name of the output log file, which depends on the name of the called service or module, but we can solve this problem through symbolic links.

Arbitrary file movement vulnerability scenario 1: MaxFileSize is the default

In this scenario, we set the path "C:\ LOGS" to the output directory of the log file and enable the "File Tracing" function:

Next, we need to generate some events to trigger the target service to start writing to the log file. Here we can initialize a VPN connection using the rasdial command in conjunction with the PBK file:

Succeed! The log file is written by "NT AUTHORITY\ SYSTEM", and the current log file size is about 24KB:

Scenario 2: MaxFileSize-Custom value

In the previous test, we can see that the size of the output log file is about 24KB, so this time, we will set the value of MaxFileSize to "0x4000" (16384 bytes), and then test again:

Based on the events captured by Process Monitor, we can know:

1. The service will obtain the basic information of the log file. We can see that the offset of EndOfFile is 23j 906, which is also the current file size value. Since the maximum file size we set is 16384 bytes, the system determines that there is no more space available.

2. The service calls SetRenameInformationFile, where FileName=C:\ LOGS\ RASTAPI.OLD. Because the system thinks that the current file is full, it will change "C:\ LOGS\ RASTAPI.LOG" to "C:\ LOGS\ RASTAPI.OLD".

3. The service creates a new "C:\ LOGS\ RASTAPI.LOG" file and starts writing data.

The file movement here is done by "NT AUTHORITY\ SYSTEM". Therefore, we can use this to move all the user's files to any location on the target system, such as "C:\ Windows\ System32\".

The exploit process is as follows:

1. Create (or copy) a file whose size exceeds 0x8000 (32768) bytes.

2. Create a new directory, such as "C:\ EXPLOIT\ mountpoint\", and set it to a mount point pointing to "\ RPC Control".

3. Create the following symbolic links:

\ RPC Control\ RASTAPI.LOG->\??\ C:\ EXPLOIT\ FakeDll.dll (owner = current user)\ RPC Control\ RASTAPI.OLD->\?\ C:\ Windows\ System32\ WindowsCoreDeviceInfo.dll

4. Configure the following values in the registry:

FileDirectory = C:\ EXPLOIT\ mountpointMaxFileSize = 0x8000 (32768 ‬ bytes) EnableFileTracing = 1

5. Use the RasDial function in Windows API to trigger events related to RASTAPI.

6. Trigger the Update Session Orchestrator service and load the relevant DLL with "NT AUTHORITY\ SYSTEM" permission.

Demonstration exampl

After reading the above, do you know how to analyze the CVE-2020-0668 vulnerability of privilege escalation in Windows Service Tracing? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.