Exploiting Errors in Windows Error Reporting Gal De Leon (@galdeleon) BlueHatIL 2020 Who am I?
● Gal De Leon ● Principal security researcher @ PaloAltoNetworks Anti-Exploit Team ● Interested in fuzzing, vulnerabilities, exploits and mitigations ● MSRC MVSR 10th place 2018 & 2019 ○ ~35 vulnerabilities
2 Agenda
● What are privileged filesystem access bugs? ● Overview of Windows Error Reporting ● Vulnerabilities & exploits in WER
3 File Access
CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe
(Standard User) pci.sys
4 File Access
CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe
(Standard User) pci.sys
C:\Windows\System32\Cmd.exe
C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sys c:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)
5 File Access
CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe
(Standard User) pci.sys ACCESS_DENIED
C:\Windows\System32\Cmd.exe
C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sys c:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)
6 File Access
CreateFile(WRITE) C:\Windows\System32\Drivers MySrv.exe pci.sys (LocalSystem)
C:\Windows\System32\Cmd.exe
C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sys c:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX)
7 Privileged Filesystem Access Bugs
● Ask a privileged component (service, driver, etc) to access a file for us, that we couldn’t access otherwise
8 Bug Example #1 - PleaseWriteFileForMe()
RPC CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe MySrv.exe (Standard User) (LocalSystem) pci.sys
RPC: PleaseWriteFileForMe(“C:\Windows\System32\Drivers\pci.sys”, buffer);
*MySrv.exe doesn’t use impersonation (RPC)
9 Bug Example #2 - WriteLogFile()
RPC CreateFile(WRITE) C:\Logs Gdl.exe MySrv.exe (Standard User) (LocalSystem) Gdl.log
RPC: WriteLogFile(“Gdl.log”, buffer);
*MySrv.exe doesn’t use impersonation (RPC)
10 Bug Example #2 - WriteLogFile()
RPC CreateFile(WRITE) C:\Logs Gdl.exe MySrv.exe (Standard User) (LocalSystem) Gdl.log
RPC: C:\Windows\System32\Cmd.exe WriteLogFile(“Gdl.log”, buffer); c:\Logs>icacls c:\Logs *MySrv.exe doesn’t use impersonation (RPC) c:\Logs Everyone:(OI)(CI)(F)
11 Bug Example #2 - WriteLogFile()
CreateLink C:\Logs Gdl.exe (Standard User) Gdl.log
NTFS Hardlink
C:\Windows\System32\Drivers pci.sys
12 Bug Example #2 - WriteLogFile()
RPC CreateFile(WRITE) C:\Logs Gdl.exe MySrv.exe (Standard User) (LocalSystem) Gdl.log
NTFS RPC: Hardlink WriteLogFile(“Gdl.log”, buffer); C:\Windows\System32\Drivers pci.sys
13 Privileged Filesystem Access Bugs
● General definition ○ A privileged component operates on a file (read, write, delete, set-dacl, ..) ○ As LocalSystem (+ no impersonation) ○ File path is controlled, or can be redirected using a link ● Could lead to privilege escalation ○ Classic Example- Overwrite an executable file that later runs as LocalSystem ● Disclaimers - ○ Links creation requires running at MediumIL (cannot exploit sandboxes < MediumIL) ○ Windows Insider Preview (WIP) April 2019 - Hardlinks mitigation
14 Windows Error Reporting Overview
15 What Happens When a Process Crashes?
Gdl.exe XOR RAX, RAX (Standard User) MOV [RAX], 1337h
16 What Happens When a Process Crashes?
Gdl.exe XOR RAX, RAX (Standard User) MOV [RAX], 1337h
Kernelbase!UnhandledExceptionHandler
Kernel32!WerpReportFault
17 What Happens When a Process Crashes?
Gdl.exe XOR RAX, RAX svchost.exe (Standard User) MOV [RAX], 1337h (WerSvc)
WNF (WNF_WER_SERVICE_START)
Kernelbase!UnhandledExceptionHandler
... Kernel32!WerpReportFault Ntdll!SignalStartWerSvc
18 What Happens When a Process Crashes?
Gdl.exe ALPC svchost.exe (Standard User) (WerSvc)
19 What Happens When a Process Crashes?
Gdl.exe ALPC svchost.exe (Standard User) (WerSvc)
WerSvc!CWerService::SvcReportCrash
Faultrep!WerpCreateCrashVerticalProcess
Kernel32!CreateProcessAsUser
20 What Happens When a Process Crashes?
Gdl.exe ALPC svchost.exe (Standard User) (WerSvc)
Parent: Gdl.exe Child: WerFault.exe WerSvc!CWerService::SvcReportCrash
WerFault.exe Faultrep!WerpCreateCrashVerticalProcess (Standard User)
Kernel32!CreateProcessAsUser
21 What Happens When a Process Crashes?
Gdl.exe (Standard User)
Collect data, exception info, memory dump, ..
WerFault.exe (Standard User)
22 What Happens When a Process Crashes?
Gdl.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER
ReportArchive\
Create Directory ReportQueue\ WerFault.exe AppCrash_Gdl.exe_A_B_C_D\ (Standard User)
Temp\
23 What Happens When a Process Crashes?
Gdl.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER
ReportArchive\
ReportQueue\ WerFault.exe Create Report File AppCrash_Gdl.exe_A_B_C_D\ (Standard User) Report.wer
... Version=1 EventType=WindowsFailure Temp\ EventType=13133355343 ReportType=1 .. 24 What Happens When a Process Crashes?
Gdl.exe Microsoft Cloud (Standard User) C:\ProgramData\Microsoft\Windows\WER
ReportArchive\
Upload Report Data ReportQueue\ WerFault.exe AppCrash_Gdl.exe_A_B_C_D\ (Standard User) Report.wer
... Temp\
25 What Happens When a Process Crashes?
Gdl.exe (Standard User) C:\ProgramData\Microsoft\Windows\WERC:\ProgramData\Microsoft\Windows\WER\
ReportArchive\ReportArchive\ AppCrash_Gdl.exe_A_B_C_D\ Report.werReport.wer ... Move Report ... Directory ReportQueue\ ReportQueue\ WerFault.exe (Standard User)
Temp\ Temp\
26 No Internet Connection?
● WerFault.exe keeps report directory under ‘ReportQueue’ ● At a later time, ‘Windows Error Reporting\QueueReporting’ scheduled task will report it using ‘WerMgr.exe -upload’
Microsoft Cloud
C:\ProgramData\Microsoft\Windows\WER\ Wermgr.exe ReportQueue\ (LocalSystem) AppCrash_Gdl.exe_A_B_C_D\ Report.wer
27 Why is WER Prone to Privileged Filesystem Access Bugs?
● Many of WER components run as LocalSystem ○ WerSvc.dll, WerMgr.exe, WerFault.exe(?) ● They allow any user to interact with them ○ WerSvc ALPC port -> writable for everyone ○ QueueReporting scheduled task -> can be executed on demand by everyone ○ C:\ProgramData\Microsoft\Windows\WER\.. -> writable for everyone ● LocalSystem components operate on the files under WER directories ○ Can be abused using filesytem links
28 Vulnerabilities & Exploits in WER Vuln #1: WerSvc!CollectMemoryInfo File Overwrite
● Warm up bug :) ● CVE-2019-1342 ● Can be reached through WerSvc ALPC port ● Impact: overwrite arbitrary files as LocalSystem, content is partially controlled
30 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
ALPC: MessageID Args
31 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
ALPC: 0xF0030002
32 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
CWerService::DispatchPortRequestWorkItem
WerSvc!CollectMemoryInfo
33 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER120.tmp.txt WerSvc!CollectMemoryInfo
WerSvc!UtilGetTempFile(OUT &FilePath) CloseHandle
34 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER120.tmp.txt WerSvc!CollectMemoryInfo
WerSvc!UtilCollectSystemInfo(FilePath) WriteFile
35 Vulnerable Pattern ...
● CreateFile ● CloseFile ● CreateFile ● WriteFile
36 Vulnerable Pattern ...
● CreateFile ● CloseFile Create Link ● CreateFile ● WriteFile
37 Exploit.exe (Standard User)
ReadDirectoryChanges
WerTempDir
38 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
ReadDirectoryChanges CWerService::DispatchPortRequestWorkItem WerTempDir
WerSvc!CollectMemoryInfo
39 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
ReadDirectoryChanges CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER280.tmp.txt WerSvc!CollectMemoryInfo
WerSvc!UtilGetTempFile(OUT &FilePath)
40 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
ReadDirectoryChanges New File is Created! CWerService::DispatchPortRequestWorkItem Filename is WerTempDir ‘WER280.tmp.txt” CreateFile WER280.tmp.txt WerSvc!CollectMemoryInfo
WerSvc!UtilGetTempFile(OUT &FilePath)
41 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
Create Link (Loop) CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER280.tmp.txt NTFS WerSvc!CollectMemoryInfo Hardlink
WerSvc!UtilGetTempFile(OUT &FilePath) CloseHandle C:\Windows\System32\Drivers
pci.sys
42 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc)
CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER280.tmp.txt NTFS WerSvc!CollectMemoryInfo Hardlink
WerSvc!UtilCollectSystemInfo(FilePath) WriteFile C:\Windows\System32\Drivers
pci.sys
43 WerSvc!CollectMemoryInfo File Overwrite
● Spot vulnerability pattern with Sysinternals ProcMon ○ CreateFile twice ● I didn’t exploit this to full privesc exploit ○ Requires larger degree of control overwrite content ○ Still enough for MSRC to assign a CVE
44 Vuln #2: WerMgr!PreparePathForDeletion DACL Overwrite
45 Run ‘QueueReporting’ Schedule Task (Can be done from Standard User, MediumIL) WerMgr.exe (LocalSystem)
46 WerMgr.exe (LocalSystem)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer
Wer!WerpSubmitReportFromStore Enumerate pending reports
47 WerMgr.exe (LocalSystem)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer
Read, parse Wer!WerpSubmitReportFromStore
48 WerMgr.exe (LocalSystem)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer Version=MALFORMED13371337 Read, parse EventType=WindowsFailure Wer!WerpSubmitReportFromStore ReportType=1 345234234234======33432234= ==234 MALFORMED-REPORT
49 WerMgr.exe (LocalSystem)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer
Wer!WerpSubmitReportFromStore
WerMgr!UtilRecursiveRemoveDirectory
50 WerMgr.exe (LocalSystem)
C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer
Wer!WerpSubmitReportFromStore
For each file .. WerMgr!UtilRecursiveRemoveDirectory WerMgr!PreparePathForDeletion(FilePath)
51 Int64 PreparePathForDeletion(WCHAR* FilePath) {
} 52 Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD);
} 53 Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); // Add Delete Permissions … SetEntriesInAcl(...); // DACL = Orig + Delete for System ... SetSecurityDesciptorDacl(SD, …);
} 54 Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); // Add Delete Permissions … SetEntriesInAcl(...); ... SetSecurityDesciptorDacl(SD, …);
// Apply the modified DACL SetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); … 55 } Int64 PreparePathForDeletion(WCHAR* FilePath) { PSECURITY_DESCRIPTOR SD = NULL; … // Read DACL to memory GetFileSecurity(FilePath, DACL_SECURITY_INFO, SD);
SetFileSecurity(FilePath, DACL_SECURITY_INFO, SD); …
} 56 Exploit.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
Version=MALFORMED13371337 EventType=WindowsFailure ReportType=1 345234234234======33432234= ==234 MALFORMED-REPORT
57 Exploit.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ Run ‘QueueReporting’ AppCrash_Gdl.exe_A_B_C_D\ Scheduled Task Report.wer
WerMgr.exe (LocalSystem)
58 Exploit.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
Version=MALFORMED13371337 EventType=WindowsFailure ReportType=1 WerMgr.exe Read corrupted report 345234234234======33432234= (LocalSystem) ==234 MALFORMED-REPORT
59 Exploit.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
WerMgr.exe GetFileSecurity(“.. AppCrash_Gdl.exe_A_B_C_D\Report.wer”, &Dacl); (LocalSystem)
60 Exploit.exe (Standard User) Create Link C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
NTFS Hardlink WerMgr.exe (LocalSystem) C:\Windows\System32\Drivers pci.sys
61 Exploit.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
NTFS Hardlink WerMgr.exe (LocalSystem) NewDacl = Everyone + LocalSystem Delete C:\Windows\System32\Drivers pci.sys
62 Exploit.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ Report.wer
NTFS Hardlink WerMgr.exe (LocalSystem) SetFileSecurity(“...Report.wer”, NewDacl); C:\Windows\System32\Drivers pci.sys
63 Exploit.exe (Standard User)
CreateFile(W), WriteFile, ..
C:\Windows\System32\Drivers pci.sys
64 WerMgr DACL Overwrite
● Does WerMgr.exe later delete ‘pci.sys’? ○ No - WerMgr.exe checks if it is a link before deleting the file ○ No - Hardlinks don’t work that way (more about that later) ● Is it hard to win the race condition? ○ Yes! ○ But .. You can try for many times until it works (few seconds up to ~5 minutes) ● To get privesc, what file should we target? ○ DLL that later gets loaded by a System process ○ Technique by James Forshaw of GPZ
■ https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
65 Vuln #3: Wer!WerpCleanWer Arbitrary File Deletion
● CVE-2019-1037 ● wer.dll (common utils used by all WER components) ● Impact: delete any file you want as LocalSystem
66 How to Exploit File Deletion Bugs?
● File deletion bugs cannot be exploited using NTFS hardlinks
C:\Logs NTFS Hardlink C:\Program Files\MyApp Gdl.exe Create Link Gdl.log Gdl.dll (Standard User)
67 How to Exploit File Deletion Bugs?
● File deletion bugs cannot be exploited using NTFS hardlinks
C:\Logs C:\Program Files\MyApp MySrv.exe DeleteFile NTFS Hardlink Gdl.log Gdl.dll (LocalSystem)
MySrv.exe: DeleteFile(“C:\Logs\Gdl.log”) 68 How to Exploit File Deletion Bugs?
● File deletion bugs cannot be exploited using NTFS hardlinks
C:\Logs C:\Program Files\MyApp MySrv.exe DeleteFile Gdl.dll (LocalSystem)
MySrv.exe: DeleteFile(“C:\Logs\Gdl.log”) 69 How to Exploit File Deletion Bugs?
● File deletion bugs cannot be exploited using NTFS hardlinks ● Hardlinks are like “giving one file multiple names” ○ If you delete “one name”, you don’t delete the others ● Use other links primitive to exploit deletion bugs - directory junctions
C:\Logs C:\Program Files\MyApp MySrv.exe DeleteFile Gdl.dll (LocalSystem)
MySrv.exe: DeleteFile(“C:\Logs\Gdl.log”) 70 Junctions
● “Symlinks“ between directories
Create Junction C:\Logs Junction C:\Program Files\MyApp Gdl.exe Gdl.dll (Standard User)
Gdl.exe: Create Junction “C:\Logs” => “C:\Program Files\MyApp” 71 Junctions
● DeleteFile(‘C:\Logs\Gdl.dll’) => ‘C:\Program Files\MyApp\Gdl.dll’
C:\Logs Junction C:\Program Files\MyApp MySrv.exe DeleteFile Gdl.dll (LocalSystem)
MySrv.exe: DeleteFile(“C:\Logs\Gdl.dll”) 72 Junctions
● DeleteFile(‘C:\Logs\Gdl.dll’) => ‘C:\Program Files\MyApp\Gdl.dll’ ● Path rewrite at directory level ○ ‘C:\Logs’ => ‘C:\Program Files\MyApp’
C:\Logs Junction C:\Program Files\MyApp MySrv.exe DeleteFile Gdl.dll (LocalSystem)
MySrv.exe: DeleteFile(“C:\Logs\Gdl.dll”) 73 Junctions Creation Requirements
● To create a junction, the source directory (C:\Logs) must be- ○ Writable ○ Empty ○ No open handles
Create Junction C:\Logs Junction C:\Program Files\MyApp Gdl.exe Gdl.dll (Standard User)
74 CVE-2019-1037
WerMgr.exe Run ‘QueueReporting’ Scheduled Task (LocalSystem) (Can be done from Medium integrity)
75 CVE-2019-1037
WerMgr.exe Run ‘QueueReporting’ Scheduled Task (LocalSystem) (Can be done from Medium integrity)
WerMgr!WinMain
Wer!WerpCleanWer
76 CVE-2019-1037
Wer!WerpCleanWer deletes all old files in ‘C:\ProgramData\Microsoft\Windows\WER\Temp’ directory. WerMgr.exe (LocalSystem)
WerMgr!WinMain
Wer!WerpCleanWer
77 Int64 WerpCleanWer(void) { LPFILETIME CurrentTime = NULL; CString* TempDirPath; UtilGetPathOfWERTempDirectory(&TempDirectoryPath);
}
78 Int64 WerpCleanWer(void) { LPFILETIME CurrentTime = NULL; CString* TempDirPath; UtilGetPathOfWERTempDirectory(&TempDirectoryPath); GetSystemTimeAsFileTime(&CurrentTime);
}
79 Int64 WerpCleanWer(void) { LPFILETIME CurrentTime = NULL; CString* TempDirPath; UtilGetPathOfWERTempDirectory(&TempDirectoryPath); GetSystemTimeAsFileTime(&CurrentTime); UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime); }
80 Int64 WerpCleanWer(void) { LPFILETIME CurrentTime = NULL; CString* TempDirPath; UtilGetPathOfWERTempDirectory(&TempDirectoryPath); GetSystemTimeAsFileTime(&CurrentTime); UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime); } Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) { WIN32_FIND_DATA FileData; EnumHandle = FindFirstFile(TempDirPath.., &FileData); do {
} while (FindNextFile(EnumHandle, &FileData); } 81 Int64 WerpCleanWer(void) { LPFILETIME CurrentTime = NULL; CString* TempDirPath; UtilGetPathOfWERTempDirectory(&TempDirectoryPath); GetSystemTimeAsFileTime(&CurrentTime); UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime); } Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) { WIN32_FIND_DATA FileData; EnumHandle = FindFirstFile(TempDirPath.., &FileData); do { If ( .. Path is a file, and LastWriteTime is old enough .. ) { DeleteFile(..FileData.cFileName); } } while (FindNextFile(EnumHandle, &FileData); } 82 Int64 WerpCleanWer(void) { LPFILETIME CurrentTime = NULL; CString* TempDirPath; UtilGetPathOfWERTempDirectory(&TempDirectoryPath); GetSystemTimeAsFileTime(&CurrentTime); UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime); } Int64 UtilPruneFolderOfOldFiles(TempDirPath, CurrentTime) { WIN32_FIND_DATA FileData; EnumHandle = FindFirstFile(TempDirPath.., &FileData); do { If ( .. Path is a file, and LastWriteTime is old enough .. ) { DeleteFile(..FileData.cFileName); } } while (FindNextFile(EnumHandle, &FileData); } 83 Exploiting CVE-2019-1037
● Create a junction between WerTempDir => ‘C:\Program Files\MyApp’ ● Run ‘QueueReporting’ scheduled task ● All the old files in ‘MyApp’ directory will be deleted!
WerMgr.exe (LocalSystem) WerTempDir Junction C:\Program Files\MyApp App.exe Gdl.dll ... Wer!UtilPruneFolderOfOldFiles
84 CVE-2019-1037 - Can We Improve the Exploit?
● What if want to delete only a single file? ● That is not old enough …? ● Open the possibility for DLL-hijacking attack ○ LoadLibrary search order
C:\Program Files\MyApp App.exe Gdl.dll ...
85 Exploit.exe (Standard User)
C:\Program Files\MyApp App.exe Gdl.dll ...
86 Create directory & files C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
C:\Program Files\MyApp App.exe Gdl.dll ...
87 Modify the files LastWriteTime using C:\MyDir kernel32!SetFileTime Exploit.exe (Standard User) A.txt Gdl.dll
C:\Program Files\MyApp App.exe Gdl.dll ...
88 C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
Run ‘QueueReporting’ Scheduled Task
WerMgr.exe C:\Program Files\MyApp (LocalSystem) App.exe Gdl.dll ...
89 C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
WerTempDir
WerMgr.exe C:\Program Files\MyApp (LocalSystem) App.exe Gdl.dll ... Wer!UtilGetPathOfWERTempDirectory
90 C:\MyDir Exploit.exe (Standard User) A.txt Create Junction Gdl.dll
WerTempDir Junction
WerMgr.exe C:\Program Files\MyApp (LocalSystem) App.exe Gdl.dll ...
91 C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
WerTempDir Junction
WerMgr.exe C:\Program Files\MyApp (LocalSystem) FindFirstFile(WerTempDir) FindNextFile App.exe (Handle to C:\MyDir) Gdl.dll ... Wer!UtilPruneFolderOfOldFiles
92 C:\MyDir\A.txt’s LastWriteTime is old enough! It will be deleted
C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
WerTempDir Junction
WerMgr.exe C:\Program Files\MyApp (LocalSystem) App.exe DeleteFile(“WerTempDir\A.txt”) Gdl.dll ... Wer!UtilPruneFolderOfOldFiles
93 Switch junction from WerTemp=>MyDir to WerTempDir => C:\Program Files\MyApp
WerTempDir is writable & empty~! No open handle to WerTempDir! C:\MyDir Exploit.exe (Standard User) A.txt Switch Junction Gdl.dll
WerTempDir
WerMgr.exe C:\Program Files\MyApp Junction (LocalSystem) App.exe Gdl.dll ...
94 FindFirstFile/FindNextFile doesn’t reopen WerTempDir
‘C:\MyDir\Gdl.dll’ LastWriteTime is old enough! C:\MyDir Exploit.exe (Standard User) Gdl.dll
WerMgr.exe C:\Program Files\MyApp (LocalSystem) FindNextFile => C:\MyDir\Gdl.dll App.exe (Handle to C:\MyDir) Gdl.dll ... Wer!UtilPruneFolderOfOldFiles
95 C:\MyDir Exploit.exe (Standard User) Gdl.dll
WerTempDir
WerMgr.exe C:\Program Files\MyApp Junction (LocalSystem) App.exe DeleteFile(“WerTempDir\Gdl.dll”) Gdl.dll ... Wer!UtilPruneFolderOfOldFiles
96 Is There a Better Way to Win the Race?
● Exploit works, but we need to switch the junction at the right time ● Use Opportunistic Locks ○ Locking files for access ○ Used for caching ■ Make sure no other entity access outdated data
97 Oplocks
C:\Logs Gdl.exe Oplock Gdl.log (Standard User) File, Event
98 Oplocks
C:\Logs CreateFile Gdl.exe Oplock *Blocked MySrv.exe Gdl.log (Standard User) (LocalSystem)
99 Oplocks
C:\Logs CreateFile Gdl.exe Oplock *Blocked MySrv.exe Gdl.log (Standard User) (LocalSystem)
Oplock event is set!
100 Oplocks
CreateFile CloseHandle C:\Logs Gdl.exe *Blocked MySrv.exe Gdl.log (Standard User) (LocalSystem)
101 Oplocks
C:\Logs CreateFile Gdl.exe returns MySrv.exe Gdl.log (Standard User) (LocalSystem)
102 Oplocks
● Great feature for exploiting filesystem race conditions ○ Blocks CreateFile ○ Notifies CreateFile occured by signaling an event
C:\Logs CreateFile Gdl.exe Oplock *Blocked MySrv.exe Gdl.log (Standard User) (LocalSystem)
Oplock event is set!
103 CVE-2019-1037 Exploit (w/ Oplock)
Set Oplock on ‘C:\MyDir\A.txt’ C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
104 CVE-2019-1037 Exploit (w/ Oplock)
C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
WerTempDir Junction
WerMgr.exe C:\Program Files\MyApp (LocalSystem) App.exe DeleteFile(“WerTempDir\A.txt”) Gdl.dll ... Wer!UtilPruneFolderOfOldFiles
105 CVE-2019-1037 Exploit (w/ Oplock)
Oplock event is set! C:\MyDir Exploit.exe (Standard User) A.txt Gdl.dll
WerTempDir Junction
WerMgr.exe C:\Program Files\MyApp (LocalSystem) App.exe DeleteFile(“WerTempDir\A.txt”) Gdl.dll ...
Suspended Wer!UtilPruneFolderOfOldFiles 106 CVE-2019-1037 Exploit (w/ Oplock)
Switch the junctions while WerMgr.exe is waiting C:\MyDir Exploit.exe (Standard User) A.txt Switch Junction Gdl.dll
WerTempDir
WerMgr.exe C:\Program Files\MyApp Junction (LocalSystem) App.exe DeleteFile(“WerTempDir\A.txt”) Gdl.dll ...
Suspended Wer!UtilPruneFolderOfOldFiles 107 CVE-2019-1037 Exploit (w/ Oplock)
Close the handle to ‘A.txt’ and release WerMgr.exe C:\MyDir Exploit.exe (Standard User) Gdl.dllA.txt Gdl.dll
WerTempDir
WerMgr.exe C:\Program Files\MyApp Junction (LocalSystem) App.exe DeleteFile(“WerTempDir\Gdl.dll”) Gdl.dll ...
Resumed Wer!UtilPruneFolderOfOldFiles 108 Conclusion
● WER is a great place to look for privesc bugs ● When researching this bug class ProcMon is your friend :) ● I discovered more vulnerabilities in WER ○ More info will be published in PaloAltoNetworks Unit42 blog, stay tuned! ● Thanks James Forshaw
@galdeleon
109