[German]Today another topic that has been on my agenda for a while. There is a privilege escalation vulnerability in the Windows shell that allows a local attacker to escalate user privileges. But it's quite difficult and can only be exploited locally.
Advertising
Memory-wise, this has never been more widely addressed. i came across it via the following tweet from Jonas L, who has already disclosed several vulnerabilities in Windows.
The vulnerability is outlined in this Google Docs document. When the user changes the profile picture of a user account, DCOM triggers a call to the Shell Create Object Task Server as the system and writes the new picture to C:\users\public\AccountPictures. However, exploiting this vulnerability for local privilege elevation proved difficult, the discoverer writes. After failing three times already, he still found a trick that led to the goal. The approach is based on James Forshaw's hints and can be read here.
Basically it is about how to craft a path in the NT object namespace that takes as long as possible to parse. If the user account picture is changed, this triggers different file actions in the path c:\users\public\AccountPictures):
\AccountPictures\S-1-5-21-2781542633-746229175-3265460138-1001
Is checked if it redirects to another path.
\S-1-5-21-2781542633-746229175-3265460138-1001\{2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.jpg
Is created, notice that the filename contains an random GUID
\S-1-5-21-2781542633-746229175-3265460138-1001\{2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.tmp
Is created
\S-1-5-21-2781542633-746229175-3265460138-1001\~2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.tmp
Is created and the calling user is granted full permission to the file.
\S-1-5-21-2781542633-746229175-3265460138-1001\{2E84DAF4-572D-4F17-A374-336A1E77E9B6}-Image96.jpg~RFb1bdf30.TMP
Is createdThen the process repeats for image32 instead of image96 and continues with 192, 40, 448, 32 ,48 ,240 ,96. If an attacker manages to redirect the file to which the calling user has full permission to a different location and filename, he can inject a sideloading dll into system32 and place his own payload.
Advertising
Within this Google Docs document Jonas L. outlines, how to find out the name of the file and exploit it in a proof of concept (PoC). It is not a critical vulnerability, as exploitation is very complex to exploit and requires the user's cooperation (he would have to change his user account picture). However, the episode shows that the devil often lurks in the details.
