usd-2023-0029 | Privilege Escalation via Weak Registry Permissions

Advisory ID: usd-2023-0029
Product: Unknown
Affected Version: Unknown
Vulnerability Type: CWE-732: Incorrect Permission Assignment for Critical Resource
Security Risk: HIGH - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor URL: https://www.sonix.com.tw/masterpage-en
Vendor acknowledged vulnerability: No
Vendor Status: Not fixed
CVE number: CVE-2023-51715
CVE Link: Pending

Description

Systems with a SONIX Technology Webcam using the SonixDeviceMFT.dll driver in its default configuration are vulnerable to a DLL-Hijacking attack.
The registry key HKLM\SOFTWARE\Classes\CLSID{5A50829A-86DD-4D18-8685-891EEE643C24}\InprocServer32 contains a path to the aforementioned .dll file and can be overwritten by low privileged users. This potentially allows attackers to load a malicous DLL and in turn escalate their privileges.
The DLL referenced by the registry key is loaded with NT-AUTHORITY\SYSTEM privileges when the webcam of the device is activated.

Proof of Concept

    1. The registry key HKLM\SOFTWARE\Classes\CLSID{5A50829A-86DD-4D18-8685-891EEE643C24}\InprocServer32 initially contains %SystemRoot%\system32\SonixDeviceMFT.dll.
    2. The permissions of the key can be listed with accesschk.exe by Sysinternals. This reveals that all membery of the Users group can edit the key.
.\SysinternalsSuite\accesschk.exe -accepteula -s -w $USER -k "HKLM\SOFTWARE\Classes\CLSID\{5A50829A-86DD-4D18-8685-891EEE643C24}\" -u        Accesschk v6.15 - Reports effective permissions for securable objects        Copyright (C) 2006-2022 Mark Russinovich        Sysinternals - www.sysinternals.com                HKLM\SOFTWARE\Classes\CLSID\{5A50829A-86DD-4D18-8685-891EEE643C24}\InprocServer32          RW VORDEFINIERT\Benutzer          RW VORDEFINIERT\Administratoren          RW NT-AUTHORITY\SYSTEM
  1. Overwrite the registry key with C:\ProgramData\malicious.dll or another location.
  2. When the webcam of the system is activated eg. for a video call, a process running with NT-AUTHORITY\SYSTEM privileges tries to load the DLL. This can be verified with Procmon.exe by Sysinernals.

Fix

For the vendor, it is recommended to adjust the permissions for the registry key and prevent low privileged users from accessing it.

Users of the affected product can perform a workaround fix by adjusting the permissions of the HKLM\SOFTWARE\Classes\CLSID{5A50829A-86DD-4D18-8685-891EEE643C24}\InprocServer32 registry key so that low privileged users do not have write access to it.

References

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking

Timeline

  • 2023-07-28: Vulnerability identified by Luca Rupp.
  • 2023-08-01: First contact with vendor via mkt@sonix.com.tw and sales@sonix.com.tw.
  • 2023-09-07: The Responsible Disclosure once more tried to get in contact with the vendor via the above email addresses and via usa@sonix.com.tw.
  • 2023-10-02: Another contact request sent to the above email addresses.
  • 2023-10-23: Another email warning of possible public disclosure should we not receive a reply.
  • 2023-12-14: Our customer reports that they have no objections towards public disclosure.
  • 2024-03-26: Advisory released by usd AG in accordance to our disclosure process.

Credits

This security vulnerability was identified by Luca Rupp of usd AG.