[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span><\/p>\n <\/span>Advisory ID<\/strong>: usd-2020-0038<\/span> Symbolic link attacks have become more and more popular on Windows operating systems. A symbolic link is just a directory entry that points to a different location of the file system and redirects certain file operations to the actual target. When privileged processes interact with user controlled parts of the file system, symbolic links can be used to redirect privileged file operations in order to achieve an elevation of privileges. However, it should be noticed that low privileged user accounts are not able to create symbolic links that connect two ordinary file system locations. That being said, there is a workaround that allows the creation of pseudo symbolic links, as demonstrated by<\/span> James Forshaw<\/a>.<\/span><\/p>\n <\/span><\/p>\n The NCP Secure Enterprise client allows low privileged user accounts to issue an operation with name <\/span>Support Assistent<\/em>. When this operation is used, several files get written to a user controlled path of the file system and some of these files are written with administrative privileges. In the following only the <\/span>Mobile Network Support<\/em>\u00a0flag is used during the export, which only generates a single file:<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200038-1.png\" title_text=\"usd20200038-1\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Since the directory is user controlled, the low privileged user can create a symbolic link to another location of the file system. After the <\/span>Support Assistent<\/em>\u00a0function is used again, the targeted file gets written with administrative privileges.<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200038-2.png\" title_text=\"usd20200038-2\" _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Apart from Denial of Service attacks, attackers could use this vulnerability for local privilege escalations, since parts of the file contents are user controlled.<\/span><\/p>\n Privileged file operations on user controlled parts of the file system should be treated with special care. If possible, privileged file writes should only target protected locations on the file system. Moreover, the privileged process itself can implement different mitigations like impersonation or inspecting targeted files for filesystem links.<\/span><\/p>\n <\/p>\n This security vulnerability was found by Tobias Neitzel of usd AG<\/span><\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2020-0038 | NCP Secure Enterprise Windows Client 10.14 Advisory ID: usd-2020-0038CVE Number: CVE-2020-11474Affected Product: NCP Secure Enterprise Windows Client\u00a0Affected Version: 10.14Vulnerability Type: Privileged File WriteSecurity Risk: CriticalVendor URL: https:\/\/www.ncp-e.comVendor Status: Fixed in 10.15 r47589 Description Symbolic link attacks have become more and more popular on Windows operating systems. A symbolic link is just a directory […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16691","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16691"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16691\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
CVE Number<\/strong>: CVE-2020-11474<\/span>
Affected Product<\/strong>: NCP Secure Enterprise Windows Client\u00a0<\/span>
Affected Version<\/strong>: 10.14<\/span>
Vulnerability Type<\/strong>: Privileged File Write<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: https:\/\/www.ncp-e.com<\/a><\/span>
Vendor Status<\/strong>: Fixed in 10.15 r47589<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
<\/h3>\n
Fix<\/h3>\n
<\/h3>\n
References<\/h3>\n
\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n