[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Privilege Escalation Vulnerability in Microsoft Windows

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Privilege Escalation Vulnerability in Microsoft Windows
From: advisory@xxxxxxxxxxxx
Date: Tue, 9 Oct 2012 09:07:24 +0200 (CEST)

Advisory ID: HTB23108
Product: Microsoft Windows
Vendor: Microsoft Corporation
Vulnerable Version(s): Windows Vista, Windows Server 2008, Windows 7, Windows 8
RP
Tested Version: Windows Vista Ultimate SP1, Windows 2008 SP2, Windows 7
Professional SP1, Windows 8 RP
Vendor Notification: August 7, 2012
Public Disclosure: October 9, 2012
Vulnerability Type: Uncontrolled Search Path Element [CWE-427]
CVSSv2 Base Score: 6 (AV:L/AC:H/Au:S/C:C/I:C/A:C)
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered a vulnerability in
Microsoft Windows which could be exploited to escalate privileges under certain
conditions.

The vulnerability exists due to the “IKE and AuthIP IPsec Keying Modules”
system service, which tries to load the “wlbsctrl.dll” DLL that is missing
after default Windows installation.
The “IKE and AuthIP IPsec Keying Modules” service starts automatically in
default configuration (after default installation) of:

- Microsoft Windows Vista
- Microsoft Windows 2008
- Microsoft Windows 7
- Microsoft Windows 8 Release Preview

Moreover the service runs with SYSTEM privileges by default. Therefore an
unprivileged local user who has write access to a default or any other search
PATH locations can execute arbitrary code on the vulnerable system with the
privileges of the SYSTEM account.

Vulnerability Details

The “IKE and AuthIP IPsec Keying Modules” service tries to loads the
“wlbsctrl.dll” library which is missing. This forces Microsoft Windows to use
search PATH procedure to locate the missing dynamic-link file in the following
order described by Microsoft -
http://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx
- The directory from which the application loaded
- The system directory
- The 16-bit system directory
- The Windows directory
- The current directory
- The directories that are listed in the PATH environment variable

When directory is created in the C:\ root folder, access permissions for files
and subfolders are inherited from the parent directory. By default members of
the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA
privileges to all directories created within the C:\ root folder. This also
applies to folders created by application's installer. The vulnerability is
introduced to the system when software does not change default permissions to
installation directory and adds its installation path to the PATH system
environment variable. Any member of the Authenticated users group can place
malicious file named “wlbsctrl.dll” into that folder and execute arbitrary code
on the system after simple reboot.

A brief research confirmed that the following well-known software makes the
weakness exploitable when installed into the C:\ root folder:

- ActivePerl 5.16.1.1601 (default installation)
Adds to the PATH variable: C:\Perl\Site\bin;

- ActiveTcl 8.5.12 (default installation)
Adds to the PATH variable: C:\TD\bin

- ActivePython 3.2.2.3 (option to modify the PATH variable is inactive, but
can be manually activated)
Adds to the PATH variable: C:\Python27\;C:\Python27\Scripts;

- Ruby installer 1.9.3-p194 (option to modify the PATH variable is inactive,
but can be manually activated)
Adds to the PATH variable: C:\Ruby193\bin;

- PHP 5.3.17 (option to modify the PATH variable is inactive, but can be
manually activated; must be explicitly configured to be installed into C root
folder, e.g. C:\PHP)
Adds to the PATH variable: C:\PHP\;

- Zend Server 5.6.0 SP4 (must be explicitly configured to be installed into C
root folder, e.g. C:\Zend)
Adds to the PATH variable: C:\Zend\ZendServer\share\ZendFramework\bin

- MySQL 5.5.28 (option to modify the PATH variable is inactive, but can be
manually activated; must be explicitly configured to be installed into C root
folder, e.g. C:\MySQL)
Adds to the PATH variable: C:\MySQL\MySQL Server 5.5\bin

Attack vectors

Any member of the Authenticated Users group can escalate his privileges to
SYSTEM when the following conditions are met:
1. The above-mentioned software sets insecure privileges for installation
folder (that is writable by members of the Authenticated Users group).
2. The above-mentioned software adds its installation path to the system PATH
environment variable.

Proof of Concept

You can download the PoC (Proof of Concept) that demonstrates vulnerability
exploitation under non-privileged user account on default installation of
Windows 7 with default installation of the latest version of ActivePerl:
https://www.htbridge.com/advisory/HTB23108-P0c-Windows-Services.rar

How to exploit:
1. Log in under an unprivileged system account.
2. Download and extract the HTB23108-P0c-Windows-Services.rar archive.
3. Copy the files from the archive into the C:\Perl\site\bin folder.
4. Reboot the system.
5. Log in under unprivileged system account.
6. Run the C:\Perl\site\bin\ADMC.exe file.
7. Enter the following credentials when asked:
Login: fox
Password: 1234
8. Type “shell” and then “whoami” command in the system console and you will
see: “nt authority\system” – you have administrative console.

Conclusion

Many Windows services have missing DLLs, and search PATH procedure is a
built-in Windows feature. However, in this case the service with the missing
DLL runs by default with SYSTEM privileges. Combined with some well-known
software in default installation this “feature” becomes a perfectly exploitable
vulnerability under relatively spread Windows configuration.

-----------------------------------------------------------------------------------------------

Solution:

Official MSRC answer:
Microsoft has thoroughly investigated the claim and found that this is not a
product vulnerability. In the scenario in question, the default security
configuration of the system has been weakened by a third-party application.
Customers who are concerned with this situation can remove the directory in
question from PATH or restrict access to the third-party’s application
directory to better protect themselves against these scenarios.

Microsoft requested and validated to disclose the advisory on the 9th of
October 2012.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23108 -
https://www.htbridge.com/advisory/HTB23108 - Privilege Escalation Vulnerability
in Microsoft Windows
[2] Microsoft Windows - http://www.microsoft.com - Microsoft Windows is a
series of graphical interface operating systems developed, marketed, and sold
by Microsoft.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.

Prev by Date: [security bulletin] HPSBOV02822 SSRT100966 rev.1 - HP Secure Web Server (SWS) for OpenVMS, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information
Next by Date: soapbox Local Root / Privilege Escalation Vulnerability
Previous by thread: [security bulletin] HPSBOV02822 SSRT100966 rev.1 - HP Secure Web Server (SWS) for OpenVMS, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information
Next by thread: soapbox Local Root / Privilege Escalation Vulnerability
Index(es):
- Date
- Thread