usd-2020-0038 | NCP Secure Enterprise Windows Client 10.14

Advisory ID: usd-2020-0038
CVE Number: CVE-2020-11474
Affected Product: NCP Secure Enterprise Windows Client 
Affected Version: 10.14
Vulnerability Type: Privileged File Write
Security Risk: Critical
Vendor URL: https://www.ncp-e.com
Vendor Status: Fixed in 10.15 r47589

Description

Symbolic link attacks have become more and more popular on Windows operating systems. A symbolic link is just a directory entry that points to a different location of the file system and redirects certain file operations to the actual target. When privileged processes interact with user controlled parts of the file system, symbolic links can be used to redirect privileged file operations in order to achieve an elevation of privileges. However, it should be noticed that low privileged user accounts are not able to create symbolic links that connect two ordinary file system locations. That being said, there is a workaround that allows the creation of pseudo symbolic links, as demonstrated by James Forshaw.

Proof of Concept (PoC)

The NCP Secure Enterprise client allows low privileged user accounts to issue an operation with name Support Assistent. When this operation is used, several files get written to a user controlled path of the file system and some of these files are written with administrative privileges. In the following only the Mobile Network Support flag is used during the export, which only generates a single file:

Since the directory is user controlled, the low privileged user can create a symbolic link to another location of the file system. After the Support Assistent function is used again, the targeted file gets written with administrative privileges.