Full Disclosure mailing list archives
CVE-2021-28321-CVE-2021-28323: elevation of privileges in Microsoft Diaghub
From: Imre Rad <radimre83 () gmail com>
Date: Sat, 17 Apr 2021 18:28:31 +0200
The Microsoft (R) Diagnostics Hub Standard Collector Service is a default component of Microsoft Windows operating system. This report is about a flaw in the Diagnostics Hub Standard Collector Service DCOM class that is available to all users of the OS (includes NT AUTHORITY\Authenticated Users). The service was vulnerable to directory traversal which could lead data tampering and dropping files to arbitrary directories with overall impact of elevation of privileges. The service supports starting diagnostics sessions for what the caller can specify a "scratch directory". File operations are carried out without impersonating the caller, but using a custom security measure instead (Microsoft::DiagnosticsHub::StandardCollector::SecuredDirectory::SecuredDirectory) to ensure the caller is not able to interfere with the files until a session is destroyed. The directory path provided by the client is opened with CreateFileW and then validated in the ValidateSamePath functions, which relies on the GetFinalPathNameByHandleW WinAPI that returns with the final path of the opened file without any junctions or redirections in the name. This final resolved path is then compared to the user supplied string. In case of a mismatch, the operation is aborted. The string comparison is done using the wcsnicmp function, which is case-insensitive. Though the operating system features a case-insensitive layer by default, the NTFS file system is case-sensitive. See James Foreshaw's excellent analysis here: https://www.tiraniddo.dev/2019/02/ntfs-case-sensitivity-on-windows.html If Windows Subsystem for Linux is installed (or Docker Desktop), or due to any other reasons the per directory case-insensitivity feature is enabled, the construct described above could be circumvented. Think about a directory layout like this: C:\Projects\windows-dcom-hacks\work\DiagHub\1\wsldir>dir 2020. 11. 22. 21:19 <DIR> ETW 2020. 11. 22. 21:18 <JUNCTION> Etw [C:\Projects\windows-dcom-hacks\work\DiagHub\1\wsldir\ETW] 2020. 11. 22. 21:17 <DIR> etw An attacker could supply the path to the Etw junction to Diaghub as scratch directory, then it would be possible to switch between directories during the Diaghub operations. CVE-2021-28321: deleting arbitrary files CVE-2021-28322: dropping files outside the scratch directory (no control over the content) CVE-2021-28313: taking over file permissions of existing files Combining the latter two it was possible to execute arbitrary code as NT_AUTHORITY\SYSTEM. Microsoft has released the patch to these vulnerabilities in 2021 April. More details and PoC code can be found here: https://github.com/irsl/microsoft-diaghub-case-sensitivity-eop-cve Turning a file dropping primitive to privilege escalation tends to be more complicated since TrustedInstaller owns most of the files of the operating system. There were some known ways to accomplish this (one of them based on DiagHub), but Microsoft has patched them since. The Github repo above also features a new trick that abuses the Printer Extensions and Notifications service and could be used for the same goal. Imre _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2021-28321-CVE-2021-28323: elevation of privileges in Microsoft Diaghub Imre Rad (Apr 19)