This article describes how to abuse the privileged process execution file on windows to upgrade local permissions (from user to administrator / system). In addition, I introduced the available technologies, tools and specific processes to exploit such vulnerabilities.
Privileged file operation vulnerability
A process running with high permission performs operations on files executed in all processes, which means that when a high permission process does not have sufficient precautions, it can access all files or directories controlled by the user. Therefore, in theory, this is a security vulnerability, because a malicious attacker may abuse the operation executed by the privileged process and make the privileged file do something that should not be done. This is true for many privileged access to user controlled resources, where files are a simple target.
In penetration testing, well-known examples include user writable service executable and DLL hijacking vulnerability. If you have write permission to the file that the privileged service will execute, or to the directory where it will find the DLL, then you can execute the payload in this privileged process. However, the vulnerability in the above example is well known. In addition to the occasional configuration vulnerability, general protection software can prevent it.
However, the potential misuse of other file system operations may not seem so well known, but they are just as dangerous as the vulnerabilities mentioned above. If you can have a privileged process create, copy, move, or delete arbitrary files for you, the vulnerability of using the system function to call shell scripts is not far from you.
In addition, because these are logic vulnerabilities, they are usually very stable (not involving memory corruption), can generally survive code refactoring (as long as the file operation logic remains unchanged), and are abused in exactly the same way regardless of the processor architecture. These features are very valuable to attackers.
The process of finding loopholes
User writable location
Although most privileged programs do not directly operate on files of unprivileged users (with some exceptions, such as AV), many programs operate on files that may be located in a location where users can operate. An unprivileged user has some form of write permission in the following locations:
- Users' own files and directories, including their appdata and temp folders, may be used by some privileged processes if you are lucky enough or run AV;
Users' own files and directories, including their appdata and temp folders, may be used by some privileged processes if you are lucky enough or run AV;
- Documents and directories of public users: idem;
Documents and directories of public users: idem;
- The directory created in C: has a default ACL (access control list): by default, the directory created in the partition root directory has a permission ACL that allows users to write;
The directory created in C: has a default ACL (access control list): by default, the directory created in the partition root directory has a permission ACL that allows users to write;
- C: programdata subdirectory with default ACL: by default, users can create files and directories, but cannot modify existing files and directories, which is usually the first place to look;
C: programdata subdirectory with default ACL: by default, users can create files and directories, but cannot modify existing files and directories, which is usually the first place to look;
Users' own files and directories, including their appdata and temp folders, may be used by some privileged processes if you are lucky enough or run AV;
Documents and directories of public users: idem;
The directory created in C: has a default ACL (access control list): by default, the directory created in the partition root directory has a permission ACL that allows users to write;
C: programdata subdirectory with default ACL: by default, users can create files and directories, but cannot modify existing files and directories, which is usually the first place to look;
5. C: subdirectory of windows \ temp: by default, users can create files and directories, but cannot modify existing files and directories, or read files / access directories created by other users. Intentionally check the installation program and other privileged software and scripts running on time without checking the pre-existing files and directories;
You can use specific tools and commands (such as sysinternals' accesschk, icacls or PowerShell's get ACL) to check file permissions, or the browser's security tab to check file permissions. The advanced form has an effective access tab that allows you to list the access rights of a specific account or group to the file / directory (such as accesschk On the command line). The following screenshot shows the (default) access granted to user groups on the C: \ programdata Directory:
Find privileged file operation
To find an example of file operations performed by privileged processes, we can simply use procmon of sysinternals, which is produced by Microsoft to monitor the operation of programs in Windows system. The monitoring contents include the writing of registry, writing of files, connection of network, calling of processes and threads, procmon Is a super system monitoring software. Procmon filters file events for interested processes, and when we see that it accesses files and directories that the user can control, we can check whether the process uses a simulated client to achieve this.
Exploit technology and tools
Once we find that we can perform operations on some files and directories controlled by users / users, we need a method to hijack these operations and then carry out attacks.
NTFS crossover
Crossover is an NTFS feature that allows directories to be set as mount points for the file system, just like mount points in UNIX, but can also be set to resolve to another directory (on the same or another file system). In this article, we can think of them as a kind of symbol crossing only containing directories.
Interestingly, in most cases, path resolution will follow the cross rule (unless parameters are explicitly set to prevent this), so in the above settings, programs that try to open C: dir \ file.txt will actually open C: other file.txt.
Connections can be created by non privileged users, because they can work across volumes, so you can also "redirect" C: \ dir to D: \ otherdir. If you have write access to an existing directory, you can convert it to cross, but it must be empty.
NTFS intersections are implemented with reparsepoints. Although built-in tools do not allow this, they can be resolved to any path by setting a custom reparse point. The createmountpoint tool allows you to complete the reparse point implementation, and for regular intersections, you can also use mklink and PowerShell's new item with the - type junction parameter.
NTFS reparse points
One of the most interesting attributes of NTFS version 5 released with Windows 2000 is the introduction of some special file system features and their application to specific files or directories. These special functions make NTFS file system more powerful and extensible. The implementation basis of this feature is called reparsepoints.
The use of reparse point comes from the fact that some applications want to store some special data in a special place - reparse point, and then the application makes a special mark to allow it to use only. An application specific filter (application specific filter) is introduced to the file system, which is associated with the tag of the reparse point. Multiple applications can store different data in the same reparse point file with different tags. Microsoft has reserved several tags for its own use.
Now let's assume that the user intends to access a marked reparse point file. When the file system opens a file, it finds that there is a reparse point associated with the file. For the "reparse" request, it finds the available filter associated with the application and matches the reparse point. After that, the data of the reparse point can be transmitted to the filter. Filters can be used in any way, depending on the initial definition of the application. This is a very flexible system: the application does not need to care about how the reparse point works, and the implementation details of the reparse point are completely transparent to the user. You just need to simply put in and take out the data, and the rest is done automatically, which greatly enhances the function of the file system.
1. Symbolic links: symbolic links allow you to create a pointer to a file somewhere else. NTFS does not as like as two peas in UNIX file system, but it can be simulated from the functional point of view. In essence, the symbolic link of NTFS is a reparse point, which transfers the access to one file to another.
2. Junction points: the intersection is similar to symbolic links, except that the object is a directory rather than a file.
- Volume mountpoints: volume mount points are similar to the first two, but a step further: they can create links to the entire volume. For example, you can create a volume mount point for a removable hard disk or other storage media, or make different local partitions (C:, D:, e:, etc.) look like they are on a volume. This is very useful for large CD-ROM servers, which can only manually maintain one partition letter per disk without a volume mount point.
Volume mountpoints: volume mount points are similar to the first two, but a step further: they can create links to the entire volume. For example, you can create a volume mount point for a removable hard disk or other storage media, or make different local partitions (C:, D:, e:, etc.) look like they are on a volume. This is very useful for large CD-ROM servers, which can only manually maintain one partition letter per disk without a volume mount point.
- RSS: remote storage server: this feature of Windows 2000 can use some rules to remove files that are not commonly used on NTFS volumes and put them on archive media (such as CD-RW or tape). When it moves the file to the "offline" or "half offline" storage media, RSS automatically creates a reparse point to the archive file for future use.
RSS: remote storage server: this feature of Windows 2000 can use some rules to remove files that are not commonly used on NTFS volumes and put them on archive media (such as CD-RW or tape). When it moves the file to the "offline" or "half offline" storage media, RSS automatically creates a reparse point to the archive file for future use.
Volume mountpoints: volume mount points are similar to the first two, but a step further: they can create links to the entire volume. For example, you can create a volume mount point for a removable hard disk or other storage media, or make different local partitions (C:, D:, e:, etc.) look like they are on a volume. This is very useful for large CD-ROM servers, which can only manually maintain one partition letter per disk without a volume mount point.
RSS: remote storage server: this feature of Windows 2000 can use some rules to remove files that are not commonly used on NTFS volumes and put them on archive media (such as CD-RW or tape). When it moves the file to the "offline" or "half offline" storage media, RSS automatically creates a reparse point to the archive file for future use.
Hard link
We all know that files have file names and data, which is divided into two parts on Linux: user data and metadata. User data, that is, data block, is the place to record the real content of the file, while metadata is the additional attributes of the file, such as file size, creation time, owner and other information. In Linux, the inode number in the metadata (inode is part of the file metadata but does not contain the file name. Inode number is the index node number) is the unique identification of the file, not the file name. The file name is only for the convenience of people's memory and use. The system or program looks for the correct file data block through the inode number.
Because hard links are files with the same inode number but different file names, they have the following characteristics:
·The files have the same inode and data block;
·Only existing files can be created;
·It is not allowed to cross file system for hard link creation;
·Cannot create directory, only files;
Deleting a hard link file does not affect other files with the same inode number.
Therefore, non privileged users can also create hard links, which, like the hard links corresponding to Unix, will be used as additional paths to existing files. It can't work on directories or across volumes (it doesn't make sense for hard links).
In addition, built-in tools do not allow you to create hard links to files without write permission, but actual system calls allow you to create hard links by opening files for reading. Use the createhardlink tool in the symboliclink test tools (or this PowerShell script written by Ruben Boonen) to create a hard link to a file that you do not have write permission to.
Note that the created link cannot be deleted without write permission to the file. In addition, this technology has been alleviated in the upcoming windows 10 release.
In this paper, we make a theoretical analysis of the principle of privileged file operation and the possible vulnerabilities. Next, we will link the object manager symbols and give examples and ideas of vulnerability exploitation.