[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
<\/span> The CheckPoint Identity Agent allows low privileged users to write files to protected locations of the file system.<\/p>\n Privileged file write vulnerabilities allow low privileged users to create or overwrite files in arbitrary locations of the file system. The impact of these attacks largely depends on the content that is written to the files. If the content is user controlled, privilege escalations are usually possible. Otherwise, the vulnerability can be used to perform Denial of Service attacks.<\/p>\n <\/span><\/p>\n The CheckPoint Identity Agent allows users to collect information for the technical support. This information is collected to a Windows Cabinet file and stored within a user defined location. During the write operation that creates the Cabinet file, the service uses the permissions of the SYSTEM account, which allows low privileged users to create the Cabinet file in arbitrary locations of the file system. By using a symbolic link, the file name is also fully user controlled and the write operation can also be redirected to already existing files.<\/p>\n In the following screenshot, a low privileged user account sets the log folder of the CheckPoint Identity Agent to a user controlled path on the file system. This is possible within the tray menu of the agent.<\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/01-set-log-folder.png\" title_text=\"01-set-log-folder\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n The <\/span>Cabinet file<\/em> that we will create soon has a naming scheme of <\/span>CP_Identity_Agent_Logs_25-01-2021_17.07.11.cab<\/strong>. As the name contains the current time and the export takes a while, an reliable attack requires multiple symbolic links. For our demonstration, we use the following simple script to create these:<\/span><\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]C:\\Users\\tony\\Desktop\u203a type link.bat [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n Within the script, we make obviously use of the symboliclink-testing-tools<\/a> by James Forshaw<\/a>. [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/02-request-technical-support-info.png\" title_text=\"02-request-technical-support-info\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p>\n When the export finished, the <\/span>C:\\Windows\\win.ini<\/strong> file should be overwritten with the contents of the <\/span>Cabinet file<\/em>. The following listing shows the original and the new content of the file:<\/span><\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]C:\\\u203a type Windows\\win.ini C:\\\u203a type C:\\Windows\\win.ini [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n Whenever high privileged services write data into user controlled parts of the file system, they should make sure to impersonate the corresponding user during the operation.<\/span>
Advisory ID<\/strong>: usd-2021-0005<\/span>
CVE Number<\/strong>: CVE-2021-30356<\/a><\/span>
Affected Product<\/strong>: CheckPoint Identity Agent<\/span>
Affected Version<\/strong>: < R81.018.0000<\/span>
Vulnerability Type<\/strong>: Symlink Vulnerability<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/www.checkpoint.com<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
\nC:\\ProgramData\\CreateSymlink.exe -p C:\\Linker\\CP_Identity_Agent_Logs_31-01-2021_12.13.00.cab C:\\Windows\\win.ini
\nC:\\ProgramData\\CreateSymlink.exe -p C:\\Linker\\CP_Identity_Agent_Logs_31-01-2021_12.13.01.cab C:\\Windows\\win.ini
\nC:\\ProgramData\\CreateSymlink.exe -p C:\\Linker\\CP_Identity_Agent_Logs_31-01-2021_12.13.02.cab C:\\Windows\\win.ini
\nC:\\ProgramData\\CreateSymlink.exe -p C:\\Linker\\CP_Identity_Agent_Logs_31-01-2021_12.13.03.cab C:\\Windows\\win.ini
\nC:\\ProgramData\\CreateSymlink.exe -p C:\\Linker\\CP_Identity_Agent_Logs_31-01-2021_12.13.04.cab C:\\Windows\\win.ini
\n[...]<\/code><\/pre>\n
After invoking the script, all possible file system locations for the to be generated Cabinet file<\/em> point now to C:\\Windows\\win.ini<\/strong>, which is not writable for low privileged user accounts. Now we can request technical support information within the agents tray menu:<\/p>\n
\n; for 16-bit app support
\n[fonts]
\n[extensions]
\n[mci extensions]
\n[files]
\n[Mail]
\nMAPI=1<\/p>\n
\nMSCF [...]<\/code><\/pre>\nFix<\/h3>\n
Additionally, protection mechanisms can be implemented to avoid following symlinks during write operations.<\/span><\/p>\n<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n