Privilege Escalation vulnerability in Windows Shell

[German]Today another topic that has been on my agenda for a while. There is a privilege escalation vulnerability in the Windows shell that allows a local attacker to escalate user privileges. But it’s quite difficult and can only be exploited locally.


Advertising

Memory-wise, this has never been more widely addressed. i came across it via the following tweet from Jonas L, who has already disclosed several vulnerabilities in Windows.

The vulnerability is outlined in this Google Docs document. When the user changes the profile picture of a user account, DCOM triggers a call to the Shell Create Object Task Server as the system and writes the new picture to C:\users\public\AccountPictures. However, exploiting this vulnerability for local privilege elevation proved difficult, the discoverer writes. After failing three times already, he still found a trick that led to the goal. The approach is based on James Forshaw’s hints and can be read here.

Basically it is about how to craft a path in the NT object namespace that takes as long as possible to parse. If the user account picture is changed, this triggers different file actions in the path c:\users\public\AccountPictures):

\AccountPictures\S-1-5-21-2781542633-746229175-3265460138-1001

Is checked if it redirects to another path.


\S-1-5-21-2781542633-746229175-3265460138-1001\{2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.jpg

Is created, notice that the filename contains an random GUID


\S-1-5-21-2781542633-746229175-3265460138-1001\{2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.tmp

Is created


\S-1-5-21-2781542633-746229175-3265460138-1001\~2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.tmp

Is created and the calling user is granted full permission to the file.


\S-1-5-21-2781542633-746229175-3265460138-1001\{2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.jpg~RFb1bdf30.TMP

Is created

Then the process repeats for image32 instead of image96 and continues with 192, 40, 448, 32 ,48 ,240 ,96. If an attacker manages to redirect the file to which the calling user has full permission to a different location and filename, he can inject a sideloading dll into system32 and place his own payload.


Advertising

Within this Google Docs document Jonas L. outlines, how to find out the name of the file and exploit it in a proof of concept (PoC). It is not a critical vulnerability, as exploitation is very complex to exploit and requires the user’s cooperation (he would have to change his user account picture). However, the episode shows that the devil often lurks in the details.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *