CVE-2021-28321-CVE-2021-28323: elevation of privileges in Microsoft Diaghub

[Imre Rad <radimre83 () gmail com>]

The Microsoft (R) Diagnostics Hub Standard Collector Service is a
default component of Microsoft Windows operating system. This report
is about a flaw in the Diagnostics Hub Standard Collector Service DCOM
class that is available to all users of the OS (includes NT
AUTHORITY\Authenticated Users).
The service was vulnerable to directory traversal which could lead
data tampering and dropping files to arbitrary directories with
overall impact of elevation of privileges.

The service supports starting diagnostics sessions for what the caller
can specify a "scratch directory". File operations are carried out
without impersonating the caller, but using a custom security measure
instead (Microsoft::DiagnosticsHub::StandardCollector::SecuredDirectory::SecuredDirectory)
to ensure the caller is not able to interfere with the files until a
session is destroyed.

The directory path provided by the client is opened with CreateFileW
and then validated in the ValidateSamePath functions, which relies on
the GetFinalPathNameByHandleW WinAPI that returns with the final path
of the opened file without any junctions or redirections in the name.
This final resolved path is then compared to the user supplied string.
In case of a mismatch, the operation is aborted. The string comparison
is done using the wcsnicmp function, which is case-insensitive.

Though the operating system features a case-insensitive layer by
default, the NTFS file system is case-sensitive. See James Foreshaw's
excellent analysis here:

https://www.tiraniddo.dev/2019/02/ntfs-case-sensitivity-on-windows.html

If Windows Subsystem for Linux is installed (or Docker Desktop), or
due to any other reasons the per directory case-insensitivity feature
is enabled, the construct described above could be circumvented. Think
about a directory layout like this:

C:\Projects\windows-dcom-hacks\work\DiagHub\1\wsldir>dir
2020. 11. 22.  21:19    <DIR>          ETW
2020. 11. 22.  21:18    <JUNCTION>     Etw
[C:\Projects\windows-dcom-hacks\work\DiagHub\1\wsldir\ETW]
2020. 11. 22.  21:17    <DIR>          etw

An attacker could supply the path to the Etw junction to Diaghub as
scratch directory, then it would be possible to switch between
directories during the Diaghub operations.

CVE-2021-28321: deleting arbitrary files
CVE-2021-28322: dropping files outside the scratch directory (no
control over the content)
CVE-2021-28313: taking over file permissions of existing files

Combining the latter two it was possible to execute arbitrary code as
NT_AUTHORITY\SYSTEM.

Microsoft has released the patch to these vulnerabilities in 2021 April.

More details and PoC code can be found here:

https://github.com/irsl/microsoft-diaghub-case-sensitivity-eop-cve


Turning a file dropping primitive to privilege escalation tends to be
more complicated since TrustedInstaller owns most of the files of the
operating system. There were some known ways to accomplish this (one
of them based on DiagHub), but Microsoft has patched them since.
The Github repo above also features a new trick that abuses the
Printer Extensions and Notifications service and could be used for the
same goal.


Imre

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/