Duplicate Paths Attack: Get Elevated Privilege from Forged Identities

229b1596ce57cd0935a2bacd410d87a0?s=47 馬聖豪
August 23, 2019
Technology
0
900

Duplicate Paths Attack: Get Elevated Privilege from Forged Identities

229b1596ce57cd0935a2bacd410d87a0?s=128

馬聖豪

August 23, 2019
Tweet

Want more?

229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
0
420
229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
0
300
229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
0
130
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
2
540
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
14
880
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
6
480
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
300
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
630
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
9
330
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
370
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
5
910
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
240

Transcript

  1. 1.

    萬 ⽤ 劫 持 本 地 提 权 情報滲透 越

    級 注 入 PS C:\> [System.Convert]::ToBase64String([Sy ext.Encoding]::UTF8.GetByte cmd.exe /c "dir" 414141414141414141 AAAAAAAAAAAAAAAAAAAAAA aaaddress1@chroot.org 遠程後⾨ 網軍⾏動 Duplicate Paths Attack: Get Elevated Privilege from Forged Identities
  2. 2.

    $_whoami #Windows #Reversing #Pwn #Exploit • Master degree at CSIE,

    NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • 30cm.tw • Hao's Arsenal • aaaddress1@chroot.org
  3. 3.

    aaaddress1@chroot.org 1. UAC Design > Privilege Duplicate > Double Trust

    Auth 2. Issues > Path Normalization 3. A Combo, inject unlimited agents $_cat ./agenda
  4. 4.

    aaaddress1@chroot.org 〉〉〉UAC Design

  5. 5.

    aaaddress1@chroot.org $_cat ./uac

  6. 6.

    aaaddress1@chroot.org $_cat ./uac

  7. 7.

    aaaddress1@chroot.org $_cat ./uac

  8. 8.

    aaaddress1@chroot.org $_cat ./uac

  9. 9.

    aaaddress1@chroot.org $_cat ./uac $ svchost.exe -k netsvcs -p -s Appinfo

  10. 10.

    說到創建Process事情, 對作業系統主要就是兩個問題: (⼀)程式碼要擺哪裡 (⼆)執⾏緒該怎麼執⾏

  11. 11.

    syscall Ring0 Ring3 Parent Process (A.) CreateProcess Child Process (B.)

    Child Proess Created, EXE File Mapped, Gained the Same Privilege and New Thread pointed to RtlUserThreadStart (C.) Kernel Create a new Thread: RtlUserThreadStart →LdrInitializeThunk →LdrpInitializeProcess (D.) Jump into AddressOfEntry
  12. 12.

    AppInfo!RAiLaunchAdminProcess syscall Ring0 Ring3 Parent Process (A.) RunAs, CreateProcessAsUser or

    CreateProcessWithToken UAC Service (B.) Send a task by RPC message to UAC service for creating a different privilege child process RPC Priv Auth (C.) verify new process is qualified or not Child Process Task Cancelled Y N (D.) Child process is created by CreateProcessAsUser with specific token by Parent Process
  13. 13.

    syscall Ring0 Ring3 Parent Process (A.) RunAs, CreateProcessAsUser or CreateProcessWithToken

    (B.) Send a task by RPC message to UAC service for creating a different privilege child process RPC (C.) verify new process is qualified or not Child Process Task Cancelled Y N (D.) Child process is created by CreateProcessAsUser with specific token by Parent Process AppInfo!RAiLaunchAdminProcess UAC Service Priv Auth UAC Protection Logic
  14. 14.

    Some points about UAC protection we're interested in: • How

    the UAC process verifies processes get higher privilege • Security issues • Bypassing Vectors syscall Ring0 Ring3 Parent Process (A.) RunAs, CreateProcessAsUser or CreateProcessWithToken UAC Service (B.) Send a task by RPC message to UAC service for creating a different privilege child process RPC Priv Auth (C.) verify new process is qualified or not Child Process Task Cancelled Y N (D.) Child process is created by CreateProcessAsUser with specific token by Parent Process AppInfo!RAiLaunchAdminProcess
  15. 15.

    aaaddress1@chroot.org 只好⾃⼰動⼿逆向 QQ 當你以爲拜 Google ⼤神有解答, 但卻沒有。

  16. 16.

    if you can see me, remember it's discovered by reversing

    and not talked about on Internet. I have no idea it's correct or not :/
  17. 17.

    aaaddress1@chroot.org $_exec RunAs

  18. 18.

    aaaddress1@chroot.org void __fastcall RAiLaunchAdminProcess( struct _RPC_ASYNC_STATE *rpcStatus, RPC_BINDING_HANDLE rpcBindingHandle, wchar_t

    *exePath, wchar_t *fullCommand, int dwCreationFlags, LPVOID lpEnvironment, wchar_t *lpCurrentDirectory, unsigned __int16 *a8, struct _APPINFO_STARTUPINFO *lpStartupInfo, __int64 a10, int millSecond, struct _PROCESS_INFORMATION *lpProcessInformation, unsigned int *a13)
  19. 19.

    aaaddress1@chroot.org

  20. 20.

    aaaddress1@chroot.org

  21. 21.

    aaaddress1@chroot.org

  22. 22.

    aaaddress1@chroot.org

  23. 23.

    aaaddress1@chroot.org

  24. 24.

    aaaddress1@chroot.org $_./trustAuth_A

  25. 25.

    aaaddress1@chroot.org void AipCheckSecurePFDirectory(_UNICODE_STRING *exePath, uint *trustedFlag, __int64 caseSenstive) { *trustedFlag

    |= 0x2000u; int pos = 0; do { // \??\C:\Program Files\Windows Defender, \??\C:\Program Files (x86)\Windows Defender // \??\C:\Program Files\Windows Journal, \??\C:\Program Files (x86)\Windows Journal // \??\C:\Program Files\Windows Media Player, \??\C:\Program Files (x86)\Windows Media Player // \??\C:\Program Files\Windows Multipoint Server if ( RtlPrefixUnicodeString(&(&g_IncludedPF)[2 * pos], exePath, caseSenstive = true) ) break; ++pos; } while ( pos < 8 ); if ( pos != 8 ) *trustedFlag_1 |= 0x4000u; // 0x4000, trusted windows system application } $_./trustAuth_A
  26. 26.

    aaaddress1@chroot.org $_./trustAuth_A

  27. 27.

    aaaddress1@chroot.org $_./trustAuth_A

  28. 28.

    aaaddress1@chroot.org // \??\C:\Windows\System32\Sysprep\sysprep.exe // \??\C:\Windows\System32\inetsrv\InetMgr.exe int index = 0, pos

    = 0; while ( !RtlEqualUnicodeString( g_IncludedXmtExe[index ++], exeUni_FullPath, true) ); if (index < 2) { if ( AipMatchesOriginalFileName(exeUni_FullPath) ) { tmpTrustFlagToAdd |= (0x800000u | 0x200000u); trustedFlag = tmpTrustFlagToAdd; } else { tmpTrustFlagToAdd |= (0x400000u | 0x200000u); trustedFlag = tmpTrustFlagToAdd; } } else ... $_./trustAuth_A
  29. 29.

    aaaddress1@chroot.org else { // \??\C:\Windows\SysWow64\ // \??\C:\Windows\System32\ for (pos =

    0; pos < 2; pos++) if ( RtlPrefixUnicodeString(g_IncludedSysDir[pos], exeUni_FullPath, true) ) break; if (pos != 2) { tmpTrustFlagToAdd |= 0x200000u; trustedFlag = tmpTrustFlagToAdd; } } $_./trustAuth_A
  30. 30.

    aaaddress1@chroot.org $_./trustAuth_B

  31. 31.

    aaaddress1@chroot.org $_./trustAuth_B

  32. 32.

    aaaddress1@chroot.org filemappingPtr = CreateFileMappingW(exeFileHandle, 0i64, 0x11000002, 0, ...); if (

    filemappingPtr ) { exeRawData = MapViewOfFile(filemappingPtr, 4u, 0, 0, 0i64); if ( exeRawData ) if ( LdrResSearchResource(exeRawData, &buf, 3i64, 48i64 ..., 64) >= 0 ) { actCtx = CreateActCtxW(&Dst); if ( actCtx != -1i64 ) { if ( QueryActCtxSettingsW( 0, actCtx, 0i64, L"autoElevate", &pvBuffer, ...) ) // pvBuffer = (wchar_t*)L"true" // tryAutoElevFlag = ( 't' - 'T'(0x54) & 0xffdf ) == 0 --> case insentive tryAutoElevFlag = ((pvBuffer - 'T') & 0xFFDF) == 0; ... if ( tryAutoElevFlag ) goto markedAutoElev; $_./trustAuth_B
  33. 33.

    aaaddress1@chroot.org tryToVerify: ... tryAutoElevFlag = false; filemappingPtr = CreateFileMappingW(exeFileHandle, 0i64,

    0x11000002, 0, ...); if ( filemappingPtr ) { exeRawData = MapViewOfFile(filemappingPtr, 4u, 0, 0, 0i64); if ( exeRawData ) if ( LdrResSearchResource(exeRawData, &buf, 3i64, 48i64 ..., 64) >= 0 ) { actCtx = CreateActCtxW(&Dst); if ( actCtx != -1i64 ) { if ( QueryActCtxSettingsW( 0, actCtx, 0i64, L"autoElevate", &pvBuffer, ...) ) // pvBuffer = (wchar_t*)L"true" // tryAutoElevFlag = ( 't' - 'T'(0x54) & 0xffdf ) == 0 --> case insentive tryAutoElevFlag = ((pvBuffer - 'T') & 0xFFDF) == 0; ... if ( tryAutoElevFlag ) goto markedAutoElev; markedAutoElev: if ( _wcsicmp(L"mmc.exe", *mmc) ) { // autoElev request marked flag *trustFlag |= 0x1010000u; goto bye; } // ... chk for the arguments for mmc $_./trustAuth_B
  34. 34.

    aaaddress1@chroot.org $_./trustAuth_B

  35. 35.

    aaaddress1@chroot.org

  36. 36.

    aaaddress1@chroot.org

  37. 37.

    aaaddress1@chroot.org

  38. 38.

    aaaddress1@chroot.org

  39. 39.

    aaaddress1@chroot.org AiLaunchProcess: Create Suspended Consent Process by CreateProcessAsUserW

  40. 40.

    aaaddress1@chroot.org AiLaunchProcess: Create Suspended Consent Process by CreateProcessAsUserW AipVerifyConsent: Verify

    consent not patched by ReadProcessMemory
  41. 41.

    aaaddress1@chroot.org AiLaunchProcess: Create Suspended Consent Process by CreateProcessAsUserW AipVerifyConsent: Verify

    consent not patched by ReadProcessMemory
  42. 42.

    aaaddress1@chroot.org Consent process gets awake, checks the "trustFlag", and decides

    to display alert UI or not.
  43. 43.

    aaaddress1@chroot.org AiLaunchProcess: Create Suspended Consent Process by CreateProcessAsUserW AipVerifyConsent: Verify

    consent not patched by ReadProcessMemory
  44. 44.

    aaaddress1@chroot.org

  45. 45.

    aaaddress1@chroot.org

  46. 46.

    aaaddress1@chroot.org High Priv Low Priv Priv Low to High Timeline

  47. 47.

    aaaddress1@chroot.org NtOpenProcess RpcImpersonateClient High Priv Low Priv NtDuplicateToken(-2) RpcRevertToSelf RpcImpersonateClient

    ExeFileHandle = CreateFileW $p = ToDosName(GetLongPathNameW(pathInput)) TrustAuth_A($p) TrustAuth_B($p) RpcRevertToSelf AiLaunchConsentUI AiLaunchProcess(pathInput)
  48. 48.

    aaaddress1@chroot.org NtOpenProcess RpcImpersonateClient High Priv Low Priv NtDuplicateToken(-2) RpcRevertToSelf RpcImpersonateClient

    ExeFileHandle = CreateFileW $p = ToDosName(GetLongPathNameW(pathInput)) TrustAuth_A($p) TrustAuth_B($p) RpcRevertToSelf AiLaunchConsentUI AiLaunchProcess(pathInput)
  49. 49.

    aaaddress1@chroot.org NtOpenProcess RpcImpersonateClient High Priv Low Priv NtDuplicateToken(-2) RpcRevertToSelf RpcImpersonateClient

    ExeFileHandle = CreateFileW $p = ToDosName(GetLongPathNameW(pathInput)) TrustAuth_A($p) TrustAuth_B($p) RpcRevertToSelf AiLaunchConsentUI AiLaunchProcess(pathInput)
  50. 50.

    aaaddress1@chroot.org NtOpenProcess RpcImpersonateClient High Priv Low Priv NtDuplicateToken(-2) RpcRevertToSelf RpcImpersonateClient

    ExeFileHandle = CreateFileW $p = ToDosName(GetLongPathNameW(pathInput)) TrustAuth_A($p) TrustAuth_B($p) RpcRevertToSelf AiLaunchConsentUI AiLaunchProcess(pathInput)
  51. 51.

    aaaddress1@chroot.org 〉〉〉Issue

  52. 52.

    aaaddress1@chroot.org NtOpenProcess RpcImpersonateClient High Priv Low Priv NtDuplicateToken(-2) RpcRevertToSelf RpcImpersonateClient

    ExeFileHandle = CreateFileW $p = ToDosName(GetLongPathNameW(pathInput)) TrustAuth_A($p) TrustAuth_B($p) RpcRevertToSelf AiLaunchConsentUI AiLaunchProcess(pathInput)
  53. 53.

    aaaddress1@chroot.org > TenableSecurity: UAC Bypass by Mocking Trusted Directories by

    David Wells > Google Project Zero: The Definitive Guide on Win32 to NT Path Conversion by James Forshaw > MSDN Developer Blog: Path Normalization by Jeremy Kuhne Path Format Overview by Jeremy Kuhne /?path_Normaliz
  54. 54.

    aaaddress1@chroot.org /?path_Format DOS Paths (2.0) C:\Test\Foo.txt A full volume name.

    If it doesn't start with all 3 characters it is considered to be partially qualified or relative to the current directory.
  55. 55.

    aaaddress1@chroot.org /? UNC Paths \\Server\Share\Test\Foo.txt start with two separators. The

    first component is the host name (server), which is followed by the share name. path_Format
  56. 56.

    aaaddress1@chroot.org /? DOS Device Paths \\.\C:\Test\Foo.txt path_Format \\?\C:\Test\Foo.txt \\.\UNC\Server\Share\Test\Foo.txt \\?\UNC\Server\Share\Test\Foo.txt

  57. 57.

    aaaddress1@chroot.org • Identifying the Path and Legacy Devices • Applying

    the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters • Skipping Normalization /?path_Normaliz Path Normalization by Jeremy Kuhne
  58. 58.

    aaaddress1@chroot.org • Identifying the Path and Legacy Devices • Applying

    the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters • Skipping Normalization /?path_Normaliz Path Normalization by Jeremy Kuhne If the path doesn't end in a separator, all trailing periods and \x20 will be removed. If the last segment is simply a single or double period it falls under the relative components rule above. This rule leads to the possibly surprising ability to create a directory with a trailing space. You simply need to add a trailing separator to do so.
  59. 59.

    aaaddress1@chroot.org • Identifying the Path and Legacy Devices • Applying

    the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters • Skipping Normalization /?path_Normaliz Path Normalization by Jeremy Kuhne An important exception- if you have a device path that begins with a question mark instead of a period. It must use the canonical backslash- if the path does not start with exactly \\?\ it will be normalized.
  60. 60.

    aaaddress1@chroot.org NtOpenProcess RpcImpersonateClient High Priv Low Priv NtDuplicateToken(-2) RpcRevertToSelf RpcImpersonateClient

    ExeFileHandle = CreateFileW $p = ToDosName(GetLongPathNameW(pathInput)) TrustAuth_A($p) TrustAuth_B($p) RpcRevertToSelf AiLaunchConsentUI AiLaunchProcess(pathInput) /?Issue
  61. 61.

    aaaddress1@chroot.org $p = RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(pathInput) ) /?trustAuth_A

  62. 62.

    aaaddress1@chroot.org RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\sea\food \seafood.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\sea\food\seafood.exe" ) $p =

    L"\??\C:\sea\food\seafood.exe" /?trustAuth_A AiLaunchProcess(L"C:\sea\food \seafood.exe")
  63. 63.

    aaaddress1@chroot.org RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p =

    L"\??\C:\Windows\System32\a.exe" /?trustAuth_A AiLaunchProcess(L"C:\Windows \System32\a.exe")
  64. 64.

    aaaddress1@chroot.org RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p =

    L"\??\C:\Windows\System32\a.exe" /?trustAuth_A AiLaunchProcess(L"C:\Windows \System32\a.exe") We have no privilege to write files inside C:\Windows\System32 due to Windows DACL But it's okay for us to create a dictionary "Windows\x20" via the \\?\ prefix to avid Path Normalization
  65. 65.

    aaaddress1@chroot.org 〉〉〉Combo

  66. 66.

    aaaddress1@chroot.org • TrustAuth_A - Path Normalization Issues → \\?\ prefix

    to bypass • TrustAuth_B - Whitelisted EXE Files with Trusted Signature - AutoElevated Marked EXE Files → DLL Side-Loading Tricks to hijack AutoElevated Marked EXE Files /?attack Vectors
  67. 67.

    aaaddress1@chroot.org $_payload?

  68. 68.

    aaaddress1@chroot.org $_Siofra github.com/Cybereason/siofra

  69. 69.

    aaaddress1@chroot.org $_Siofra

  70. 70.

    aaaddress1@chroot.org $_Siofra

  71. 71.

    $_ DEMO

  72. 72.

    aaaddress1@chroot.org • TrustAuth_A used for verifying child process launched from

    a trustable dircctory • if trusted, TrustAuth_B check child process signed with legal signature or marked as AutoElevate • Consent.exe launched, and the UAC prompt pops up if child process isn't full trusted • TrustAuth_A/B is an extra design. The different paths between verification and Forking Process lead to EoP $_./Recap
  73. 73.

    萬 ⽤ 劫 持 本 地 提 权 情報滲透 越

    級 注 入 PS C:\> [System.Convert]::ToBase64String([Sy ext.Encoding]::UTF8.GetByte cmd.exe /c "dir" 414141414141414141 AAAAAAAAAAAAAAAAAAAAAA aaaddress1@chroot.org 遠程後⾨ 網軍⾏動 Thanks! Slide Github @aaaddress1 Facebook