Exploiting Errors in Windows Error Reporting Gal De Leon (@galdeleon) BlueHatIL 2020 Who am I? ● Gal De Leon ● Principal security researcher @ PaloAltoNetworks Anti-Exploit Team ● Interested in fuzzing, vulnerabilities, exploits and mitigations ● MSRC MVSR 10th place 2018 & 2019 ○ ~35 vulnerabilities 2 Agenda ● What are privileged filesystem access bugs? ● Overview of Windows Error Reporting ● Vulnerabilities & exploits in WER 3 File Access CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe (Standard User) pci.sys 4 File Access CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe (Standard User) pci.sys C:\Windows\System32\Cmd.exe C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sys c:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX) 5 File Access CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe (Standard User) pci.sys ACCESS_DENIED C:\Windows\System32\Cmd.exe C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sys c:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX) 6 File Access CreateFile(WRITE) C:\Windows\System32\Drivers MySrv.exe pci.sys (LocalSystem) C:\Windows\System32\Cmd.exe C:\Users\gdeleon>icacls c:\Windows\System32\drivers\pci.sys c:\Windows\System32\drivers\pci.sys NT SERVICE\TrustedInstaller:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(RX) 7 Privileged Filesystem Access Bugs ● Ask a privileged component (service, driver, etc) to access a file for us, that we couldn’t access otherwise 8 Bug Example #1 - PleaseWriteFileForMe() RPC CreateFile(WRITE) C:\Windows\System32\Drivers Gdl.exe MySrv.exe (Standard User) (LocalSystem) pci.sys RPC: PleaseWriteFileForMe(“C:\Windows\System32\Drivers\pci.sys”, buffer); *MySrv.exe doesn’t use impersonation (RPC) 9 Bug Example #2 - WriteLogFile() RPC CreateFile(WRITE) C:\Logs Gdl.exe MySrv.exe (Standard User) (LocalSystem) Gdl.log RPC: WriteLogFile(“Gdl.log”, buffer); *MySrv.exe doesn’t use impersonation (RPC) 10 Bug Example #2 - WriteLogFile() RPC CreateFile(WRITE) C:\Logs Gdl.exe MySrv.exe (Standard User) (LocalSystem) Gdl.log RPC: C:\Windows\System32\Cmd.exe WriteLogFile(“Gdl.log”, buffer); c:\Logs>icacls c:\Logs *MySrv.exe doesn’t use impersonation (RPC) c:\Logs Everyone:(OI)(CI)(F) 11 Bug Example #2 - WriteLogFile() CreateLink C:\Logs Gdl.exe (Standard User) Gdl.log NTFS Hardlink C:\Windows\System32\Drivers pci.sys 12 Bug Example #2 - WriteLogFile() RPC CreateFile(WRITE) C:\Logs Gdl.exe MySrv.exe (Standard User) (LocalSystem) Gdl.log NTFS RPC: Hardlink WriteLogFile(“Gdl.log”, buffer); C:\Windows\System32\Drivers pci.sys 13 Privileged Filesystem Access Bugs ● General definition ○ A privileged component operates on a file (read, write, delete, set-dacl, ..) ○ As LocalSystem (+ no impersonation) ○ File path is controlled, or can be redirected using a link ● Could lead to privilege escalation ○ Classic Example- Overwrite an executable file that later runs as LocalSystem ● Disclaimers - ○ Links creation requires running at MediumIL (cannot exploit sandboxes < MediumIL) ○ Windows Insider Preview (WIP) April 2019 - Hardlinks mitigation 14 Windows Error Reporting Overview 15 What Happens When a Process Crashes? Gdl.exe XOR RAX, RAX (Standard User) MOV [RAX], 1337h 16 What Happens When a Process Crashes? Gdl.exe XOR RAX, RAX (Standard User) MOV [RAX], 1337h Kernelbase!UnhandledExceptionHandler Kernel32!WerpReportFault 17 What Happens When a Process Crashes? Gdl.exe XOR RAX, RAX svchost.exe (Standard User) MOV [RAX], 1337h (WerSvc) WNF (WNF_WER_SERVICE_START) Kernelbase!UnhandledExceptionHandler ... Kernel32!WerpReportFault Ntdll!SignalStartWerSvc 18 What Happens When a Process Crashes? Gdl.exe ALPC svchost.exe (Standard User) (WerSvc) 19 What Happens When a Process Crashes? Gdl.exe ALPC svchost.exe (Standard User) (WerSvc) WerSvc!CWerService::SvcReportCrash Faultrep!WerpCreateCrashVerticalProcess Kernel32!CreateProcessAsUser 20 What Happens When a Process Crashes? Gdl.exe ALPC svchost.exe (Standard User) (WerSvc) Parent: Gdl.exe Child: WerFault.exe WerSvc!CWerService::SvcReportCrash WerFault.exe Faultrep!WerpCreateCrashVerticalProcess (Standard User) Kernel32!CreateProcessAsUser 21 What Happens When a Process Crashes? Gdl.exe (Standard User) Collect data, exception info, memory dump, .. WerFault.exe (Standard User) 22 What Happens When a Process Crashes? Gdl.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER ReportArchive\ Create Directory ReportQueue\ WerFault.exe AppCrash_Gdl.exe_A_B_C_D\ (Standard User) Temp\ 23 What Happens When a Process Crashes? Gdl.exe (Standard User) C:\ProgramData\Microsoft\Windows\WER ReportArchive\ ReportQueue\ WerFault.exe Create Report File AppCrash_Gdl.exe_A_B_C_D\ (Standard User) Report.wer ... Version=1 EventType=WindowsFailure Temp\ EventType=13133355343 ReportType=1 .. 24 What Happens When a Process Crashes? Gdl.exe Microsoft Cloud (Standard User) C:\ProgramData\Microsoft\Windows\WER ReportArchive\ Upload Report Data ReportQueue\ WerFault.exe AppCrash_Gdl.exe_A_B_C_D\ (Standard User) Report.wer ... Temp\ 25 What Happens When a Process Crashes? Gdl.exe (Standard User) C:\ProgramData\Microsoft\Windows\WERC:\ProgramData\Microsoft\Windows\WER\ ReportArchive\ReportArchive\ AppCrash_Gdl.exe_A_B_C_D\ Report.werReport.wer ... Move Report ... Directory ReportQueue\ ReportQueue\ WerFault.exe (Standard User) Temp\ Temp\ 26 No Internet Connection? ● WerFault.exe keeps report directory under ‘ReportQueue’ ● At a later time, ‘Windows Error Reporting\QueueReporting’ scheduled task will report it using ‘WerMgr.exe -upload’ Microsoft Cloud C:\ProgramData\Microsoft\Windows\WER\ Wermgr.exe ReportQueue\ (LocalSystem) AppCrash_Gdl.exe_A_B_C_D\ Report.wer 27 Why is WER Prone to Privileged Filesystem Access Bugs? ● Many of WER components run as LocalSystem ○ WerSvc.dll, WerMgr.exe, WerFault.exe(?) ● They allow any user to interact with them ○ WerSvc ALPC port -> writable for everyone ○ QueueReporting scheduled task -> can be executed on demand by everyone ○ C:\ProgramData\Microsoft\Windows\WER\.. -> writable for everyone ● LocalSystem components operate on the files under WER directories ○ Can be abused using filesytem links 28 Vulnerabilities & Exploits in WER Vuln #1: WerSvc!CollectMemoryInfo File Overwrite ● Warm up bug :) ● CVE-2019-1342 ● Can be reached through WerSvc ALPC port ● Impact: overwrite arbitrary files as LocalSystem, content is partially controlled 30 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) ALPC: MessageID Args 31 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) ALPC: 0xF0030002 32 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) CWerService::DispatchPortRequestWorkItem WerSvc!CollectMemoryInfo 33 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER120.tmp.txt WerSvc!CollectMemoryInfo WerSvc!UtilGetTempFile(OUT &FilePath) CloseHandle 34 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER120.tmp.txt WerSvc!CollectMemoryInfo WerSvc!UtilCollectSystemInfo(FilePath) WriteFile 35 Vulnerable Pattern ... ● CreateFile ● CloseFile ● CreateFile ● WriteFile 36 Vulnerable Pattern ... ● CreateFile ● CloseFile Create Link ● CreateFile ● WriteFile 37 Exploit.exe (Standard User) ReadDirectoryChanges WerTempDir 38 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) ReadDirectoryChanges CWerService::DispatchPortRequestWorkItem WerTempDir WerSvc!CollectMemoryInfo 39 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) ReadDirectoryChanges CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER280.tmp.txt WerSvc!CollectMemoryInfo WerSvc!UtilGetTempFile(OUT &FilePath) 40 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) ReadDirectoryChanges New File is Created! CWerService::DispatchPortRequestWorkItem Filename is WerTempDir ‘WER280.tmp.txt” CreateFile WER280.tmp.txt WerSvc!CollectMemoryInfo WerSvc!UtilGetTempFile(OUT &FilePath) 41 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) Create Link (Loop) CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER280.tmp.txt NTFS WerSvc!CollectMemoryInfo Hardlink WerSvc!UtilGetTempFile(OUT &FilePath) CloseHandle C:\Windows\System32\Drivers pci.sys 42 Exploit.exe ALPC svchost.exe (Standard User) (WerSvc) CWerService::DispatchPortRequestWorkItem WerTempDir CreateFile WER280.tmp.txt NTFS WerSvc!CollectMemoryInfo Hardlink WerSvc!UtilCollectSystemInfo(FilePath) WriteFile C:\Windows\System32\Drivers pci.sys 43 WerSvc!CollectMemoryInfo File Overwrite ● Spot vulnerability pattern with Sysinternals ProcMon ○ CreateFile twice ● I didn’t exploit this to full privesc exploit ○ Requires larger degree of control overwrite content ○ Still enough for MSRC to assign a CVE 44 Vuln #2: WerMgr!PreparePathForDeletion DACL Overwrite 45 Run ‘QueueReporting’ Schedule Task (Can be done from Standard User, MediumIL) WerMgr.exe (LocalSystem) 46 WerMgr.exe (LocalSystem) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer Wer!WerpSubmitReportFromStore Enumerate pending reports 47 WerMgr.exe (LocalSystem) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer Read, parse Wer!WerpSubmitReportFromStore 48 WerMgr.exe (LocalSystem) C:\ProgramData\Microsoft\Windows\WER\ ReportQueue\ AppCrash_Gdl.exe_A_B_C_D\ WerMgr!DoCoreUpload Report.wer Version=MALFORMED13371337 Read, parse EventType=WindowsFailure Wer!WerpSubmitReportFromStore ReportType=1