bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/windows/local/46159.txt
Offensive Security 518c704a2f DB: 2019-01-15 
32 changes to exploits/shellcodes

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation
Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation
Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation
Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation
Microsoft Windows 10 - COM Desktop Broker Privilege Escalation

Hootoo HT-05 - Remote Code Execution (Metasploit)
Across DR-810 ROM-0 - Backup File Disclosure
i-doit CMDB 1.12 - Arbitrary File Download
i-doit CMDB 1.12 - SQL Injection
Horde Imp - 'imap_open' Remote Command Execution
Modern POS 1.3 - Arbitrary File Download
Modern POS 1.3 - SQL Injection
Twilio WEB To Fax Machine System Application 1.0 - SQL Injection
Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin)
Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection
Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection
Find a Place CMS Directory 1.5 - SQL Injection
Cleanto 5.0 - SQL Injection
Lenovo R2105 - Cross-Site Request Forgery (Command Execution)
HealthNode Hospital Management System 1.0 - SQL Injection
Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)
ThinkPHP 5.X - Remote Command Execution
Real Estate Custom Script 2.0 - SQL Injection
Job Portal Platform 1.0 - SQL Injection
Umbraco CMS 7.12.4 - Authenticated Remote Code Execution
Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection
Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
AudioCode 400HD - Command Injection
2019-01-15 05:01:52 +00:00

34 lines
No EOL
2.5 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Windows: DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Platform: Windows 10 1803 and 1809.
Class: Security Feature Bypass/Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Services check for the user passing UNC paths can be circumvented leading to a security feature bypass which can facilitate easier exploitation for privilege elevation.
Description:
During DSSCreateSharedFileTokenEx the path is passed to DSUtils::CanonicalAndValidateFilePath to canonicalize the path. This method also verifies that the passed path isnt a UNC path (for reasons unknown). The UNC path check can be bypassed by using the \??\UNC\ form. When this is passed to PathAllocCanonicalize it returns it verbatim, however this path format isnt considered a UNC path by PathIsUNCEx. However when passed to CreateFile etc it will be considered as if it was an \\?\UNC\ path format.
This could be useful for a few different attacks. For a start you could redirect the call to \\localhost\pipe\somepipe and get a named pipe handle bound to the SYSTEM user. Although Ive not worked out a way of getting the handle back (as GetFinalPathFromHandle fails). Another attack vector is when going to an SMB share any directory junctions are resolved on the server, this would allow you to bypass any checks such as DSUtils::VerifyPathFromHandle as the returned path would be \\?\UNC\localhost\c$\blah.. Regardless of the final destination path opened.
Proof of Concept:
Ive provided a PoC as a C# project.
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the poc, it will try and open c:\windows\notepad.exe via the C$ admin share.
Expected Result:
The path is considered invalid and DSSCreateSharedFileTokenEx fails.
Observed Result:
The UNC path is opened.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46159.zip
Reference in a new issue View git blame Copy permalink