{"id":17262,"date":"2021-09-30T16:29:02","date_gmt":"2021-09-30T14:29:02","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17262"},"modified":"2022-05-02T11:41:35","modified_gmt":"2022-05-02T09:41:35","slug":"usd-2021-0002","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0002\/","title":{"rendered":"usd-2021-0002"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2021-0002 | EgoSecure Agent<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2021-0002<\/span>
Affected Product<\/strong>: EgoSecure Agent<\/span>
Affected Version<\/strong>: 14.3.937.4<\/span>
Vulnerability Type<\/strong>: Symlink Vulnerability<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/www.egosecure.com\/<\/a>
Vendor Status<\/strong>: Fixed (21.0.1)
<\/span><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

Privileged file write vulnerabilities allow low privileged users to create or overwrite files in arbitrary locations of the file system.
The impact of these attacks depends largely on the content that is written to the files. If the content is user controlled,
privilege escalations<\/em> are usually possible. Otherwise, the vulnerability can be used to perform Denial of Service<\/em> attacks.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The EgoSecure Agent service<\/em> allows users to request a compacted collection of log files using the EgoSecure tray icon<\/em>. When invoking this operation,
the EgoSecure Agent<\/em> collects log data and compacts everything into a single .zip<\/em> file. The corresponding folder, where the compressed .zip<\/em> file
is created, is user controlled, but can only be set to a user writable location. However, by using symbolic links, this restriction can be circumvented
and the .zip<\/em> file can be written to arbitrary locations of the file system. As the write operations is done with the high privileged service account,
no write access is required for the invoking user.<\/p>\n

In the following screenshot, a low privileged user starts the log compression via the EgoSecure tray icon<\/em> and sets the output folder to a user controlled
area of the file system:<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/09\/01-set-output-folder.png\" title_text=\"01-set-output-folder\" admin_label=\"Bild\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px|||||\" global_colors_info=\"{}\"]<\/p>\n

Afterwards, the user creates a symbolic link that points to the desired location of the file system. During our tests, only non existing paths could be
chosen. For the symbolic link creation, we use the symboliclink-testing-tools<\/a> by James Forshaw<\/a>.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||20px||false|false\" global_colors_info=\"{}\"]<\/p>\n

C:\\>C:\\ProgramData\\CreateSymlink.exe C:\\Linker\\LogFiles_20210131.zip C:\\Windows\\this_should_not_be_here.dll
Opened Link \\RPC Control\\LogFiles_20210131.zip -> \\??\\C:\\Windows\\this_should_not_be_here.dll: 00000184
Press ENTER to exit and delete the symlink<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px|||||\" global_colors_info=\"{}\"]<\/p>\n

After starting the export, the .zip<\/em> file is created in the requested destination:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

C:\\>dir C:\\Windows\\this_should_not_be_here.dll
\u00a0Volume in drive C is Windows
\u00a0Volume Serial Number is F653-D506<\/p>\n

Directory of C:\\Windows<\/p>\n

31.01.2021 11:53 384.182 this_should_not_be_here.dll
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 File(s), 384.182 bytes
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 Dir(s), 461.815.877.632 bytes free<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

\n
\n

Fix<\/h3>\n
Whenever high privileged services write data into user controlled parts of the file system, they should make sure to impersonate the corresponding user during the operation. Additionally, protection mechanisms can be implemented to avoid following file system link during write operations.<\/div>\n

 <\/p>\n

<\/div>\n

References<\/h3>\n