文章來源:https://www.thezdi.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
This vulnerability is a truly delicious one, and credit for it goes to ZDI contributor Eduardo Braun Prado. Your guests won’t believe how easy it is to escalate to SYSTEM!
The bug is found in the UAC (User Account Control) mechanism. By default, Windows shows all UAC prompts on a separate desktop known as the Secure Desktop. The prompts themselves are produced by an executable named consent.exe, running as NT AUTHORITY\SYSTEM and having an integrity level of System. Since the user can interact with this UI, it is necessary for the UI to be very tightly constrained. Otherwise, a low privileged user might be able to perform actions as SYSTEM via a circuitous route of UI operations. Even a solitary UI feature that appears harmless in isolation could potentially be the first step in a chain of actions leading to arbitrary control. Indeed, you will find that the UAC dialogs are stripped down to contain a bare minimum of clickable options.
Shall we go exploring a bit?
We can enter the UAC prompts by right-clicking any executable and choosing Run as administrator... That will bring up a dialog on the Secure Desktop that looks like this:
Picture1.pngPicture1.png
Not much interesting so far, just Yes and No buttons, a password input field, and an X button. You can click the upper-left corner of the window and get the standard, little-used “window menu”, having just Move and Close commands. The password input field is a bit interesting to poke around in. Perhaps it could give you some way to open up additional UI features, via an IME, for example. I have tried, though, and not uncovered anything.
All right, but what of that “Show details” option?
Picture2.pngPicture2.png
Aha. Well, here is an opening into a more interesting UI. We now have a link to the Windows certificate dialog:
Picture3.pngPicture3.png
This is a promising route, since, as you probably know, the Windows certificate dialog allows you to export a displayed certificate to a file. That would give us access to the standard File Save dialog, opening up a wealth of UI functionality. Will it work?
Picture4.pngPicture4.png
Drat, Microsoft has grayed out the button! And to think, we almost got away with it. I seem to recall having tried that one years ago.
But here’s what you probably don’t know about the certificate dialog: There is an obscure Microsoft-specific object identifier (OID) defined, having the numeric value 1.3.6.1.4.1.311.2.1.10. The WinTrust.h header defines this as SPC_SP_AGENCY_INFO_OBJID, and, if present, it will be displayed in the Details tab as SpcSpAgencyInfo. The semantics of this OID are poorly documented. It appears, however, that the certificate dialog parses the value of this OID, and if it finds valid and properly-formatted data, it will use it to render the “Issued by” field on the General tab as a hyperlink! And when it comes to the UAC version of the certificate dialog, Microsoft forgot to disable this hyperlink.
The finder of this bug provided us with a copy of an ancient Microsoft-signed executable that has such a certificate:
Picture5.pngPicture5.png
Clicking on the hyperlink will launch a browser from consent.exe, and the browser will run as NT AUTHORITY\SYSTEM. Quite strangely, even though the browser is launched as SYSTEM, nevertheless it is shown on the normal desktop as opposed to the Secure Desktop. Hence it will only become visible once the user has exited all the UAC dialogs. From the attacker’s perspective, this is an ideal combination.
In action, this vulnerability is a wonder to behold. In my mind at least, it’s an instant classic. The video below shows the complete process, including a final step producing a command prompt as SYSTEM. Please enjoy the show.
Microsoft patched this vulnerability in November 2019 as CVE-2019-1388. In their writeup, they state the fix was implemented by “ensuring Windows Certificate Dialog properly enforces user privileges.” However, they also give an Exploit Index rating of 2, indicating exploitation is less likely. Our video suggests otherwise.
Here at the Zero Day Initiative we’re thankful for all the great bugs our talented submitters have sent us in this past year, and we wish everyone a prosperous 2020.
You can find me on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.
謹記【阻礙別人未來,等同自毀未來!】這是【時空穿越者】最大的課題。
2019年03月03日 重置所有文章連結,舊有連結全數失效,若要尋找特定文章,請使用版面上【搜尋此網誌】
有事找我,請直接 TEL:886 0972174238 找我爸媽是沒用的,他們一句都不會跟我談,他們早就習慣不問我願不願意。
本人沒有加入過任何政黨,有任何問題,歡迎留言提出。
為 台灣獨立 停止 中國政權 參加台灣選舉,有ˋ中國人的地方就有欺騙,一切都是中國人造成的錯誤!
Blog各種敘述,若有雷同之處純屬巧合,切勿做過當行為。
2019年11月24日 星期日
訂閱:
張貼留言 (Atom)
HR , NO!Human Resources,NO!
※※ 這樣內容,上手會困難嗎?※※ 我想到什麼?就寫什麼!※※
※對於資訊!我想到什麼?就寫什麼!
如果困難的話?
有需要技術文件 DarkMan 蒐集了不少!
存在FTP共享。想下載?請洽DarkMan信箱取得下載帳號。※
如果困難的話?
有需要技術文件 DarkMan 蒐集了不少!
存在FTP共享。想下載?請洽DarkMan信箱取得下載帳號。※
上句:不修一切法,如如是己身。傳其法,授其使,說其名,淪為其用。
下句:你寫得出來其意就傳你【大神威、大魔法,無上魔道。】
網路基礎技能 - 相關連結(更新完成)
Dark 不覺得「Linux CD route 計畫」會比「思科路由」差!我認可 CD Route 計畫的實現,藉此....降低網路架設費用!
甚至「Linux CD route 計畫」更能夠實現「網路自由」的架構!
Fdisk 磁碟管理(一)共用「 Linux 與 微軟Windows」
Fdisk 磁碟管理(二)磁碟 boost loader 觀念
Fdisk 磁碟管理(三)清除磁碟分割
磁碟陣列是什麼東西?(RAID)
Linux Network
Linux 網路概要(連結版)
Linux 網路概要(抄過來)
設置網路環境 >> 資訊環境落實
MikroTik RouterOS 專業級路由系統
MikroTik RouterOS(1)
MikroTik RouterOS(2)
MikroTik RouterOS(3)
MikroTik RouterOS(4)
Linux Network Route
(一)接口設備觀念
(二)參照路由原則
(三)檢視路由
(四)Root路由器
(五)防禦對象
MikroTik RouterOS 專業級路由系統
網路卡、路由表、iptab 表、btctl show(一)「loopback 和網路卡*4」
網路卡、路由表、iptab 表、btctl show(二)拿微軟的系統route,來證明一下!
網路卡、路由表、iptab 表、btctl show(三)釋出路由方向
網路卡、路由表、iptab 表、btctl show(四)Root路由器
網路卡、路由表、iptab 表、btctl show(五)防禦對象
CD Route network
Linux CD route 網路設備配置的順序.....
Linux CD route 001 介紹
Linux CD route 002 軟體安裝
Linux CD route 003 外網
Linux CD route 004 內網
Linux CD route 005 安全
Linux CD route 006 防火牆
甚至「Linux CD route 計畫」更能夠實現「網路自由」的架構!
Fdisk 磁碟管理(一)共用「 Linux 與 微軟Windows」
Fdisk 磁碟管理(二)磁碟 boost loader 觀念
Fdisk 磁碟管理(三)清除磁碟分割
磁碟陣列是什麼東西?(RAID)
Linux Network
Linux 網路概要(連結版)
Linux 網路概要(抄過來)
設置網路環境 >> 資訊環境落實
MikroTik RouterOS 專業級路由系統
MikroTik RouterOS(1)
MikroTik RouterOS(2)
MikroTik RouterOS(3)
MikroTik RouterOS(4)
Linux Network Route
(一)接口設備觀念
(二)參照路由原則
(三)檢視路由
(四)Root路由器
(五)防禦對象
MikroTik RouterOS 專業級路由系統
網路卡、路由表、iptab 表、btctl show(一)「loopback 和網路卡*4」
網路卡、路由表、iptab 表、btctl show(二)拿微軟的系統route,來證明一下!
網路卡、路由表、iptab 表、btctl show(三)釋出路由方向
網路卡、路由表、iptab 表、btctl show(四)Root路由器
網路卡、路由表、iptab 表、btctl show(五)防禦對象
CD Route network
Linux CD route 網路設備配置的順序.....
Linux CD route 001 介紹
Linux CD route 002 軟體安裝
Linux CD route 003 外網
Linux CD route 004 內網
Linux CD route 005 安全
Linux CD route 006 防火牆
沒有留言:
張貼留言
歡迎討論