IERAE NIGHT 2024: PT「Story of Microsoft OneDrive LPE」

Story of Microsoft OneDrive LPE (CVEなし)

About me Ruslan Sayfiev （ルスラン サイフィエフ） (https://twitter.com/cryptopeg) オフェンシブセキュリティ部 部長・執行役員（Red Team/ペンテストリーダー） - 主な知見： Web・NW診断、 Cloud、 OSINT、 Pentest・Red Team、 IoT系など - 資格： OSWP、 OSCP、 OSEP、 OSCE（old）、 OSWA、 OSWE、 OSDA、 OSEE、 GXPN、 CRTO、 CRTL、 CRTE、 CRTMなど - Microsoft researcher (MVR)： 2023 Annual – 61 place - ちょっとしたCVE一覧: CVE-2021-22159, CVE-2021-40118, CVE-2021-29644, CVE-2021-29645, CVE-2021-20679, CVE-2022-25294, CVE-2022-1038, CVE2022-22814, CVE-2022-28719, CVE-2022-27773, CVE-2022-44669, CVE2023-33148, CVE-2023-21726, CVE-2023-21777, CVE-2023-22335, CVE2023-22336, CVE-2023-22344

• https://twitter.com/cryptopeg

発見した脆弱性（一部） ※横展開に使用可能なもの CVE番号 対象製品 脆弱性種類 CVE-2021-22159 Proofpoint ITM (旧ObserveIT) 権限昇格 CVE-2022-25294 Proofpoint ITM (旧ObserveIT) 権限昇格 CVE-2022-1038 HP Jumpstart 権限昇格 CVE-2022-22814 ASUS System Diagnosis 権限昇格 CVE-2021-29644 Hitachi JP1 リモートコード実行 CVE-2021-29645 Hitachi JP1 権限昇格 CVE-2022-27773 Ivanti Endpoint Manager (旧LANDesk) 権限昇格/リモートコード実行 CVE-2022-28719 ハンモックAssetView リモートコード実行 CVE-2023-22335 IT 資産管理ツールSS1 不適切なアクセス制御 CVE-2023-22336 IT 資産管理ツールSS1 パストラバーサル CVE-2023-22344 IT 資産管理ツールSS1 ハードコードされたパスワード CVE-2024-24964 SkySea Client View 権限昇格 CVE-2024-41139 SkySea Client View 権限昇格 CVE-2024-41143 SkySea Client View 権限昇格 CVE-2024-41726 SkySea Client View パストラバーサル（RCE） CVE-2022-44669 Microsoft Windows 権限昇格 CVE-2023-21726 Microsoft Windows 権限昇格 CVE-2023-33148 Microsoft Office 権限昇格 なし Microsoft OneDrive 権限昇格 分類 リスク管理 ベンダー 資産管理 OS/Office

Attack Surface for LPE on Windows • Privilege escalation requires some way of communicating between a low privileged side and high privileged side. • There can be logic bugs and binary bugs. • Medium Integrity is the most common starting point (normal user without Administrator group) • High Integrity is effectively SYSTEM • RPC is protocol over different low level transports (pipes, network, ALPC) • OneDrive => FileSyncHelper uses RPC over ALPC Medium Integrity High / System Integrity PIPE Attacker.exe TCP/UDP Client.exe Service.exe ALPC RPC … RPC Mailslots Shared Memory COM etc …

NtObjectManager • • • • • • • • Install-Module -Name NtObjectManager Import-Module -Name NtObjectManager ls "FileSyncHelper.exe" | Get-RpcServer $client = ('FileSyncHelper.exe' | Get-RpcServer)[0] $cl = Get-RpcClient $client Connect-RpcClient -Client $cl $cl | Get-Member $client | Format-RpcServer Link: https://www.powershellgallery.com/packages/NtObjectManager/1.1.32 Example: https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/

Service Activation Trigger • FileSyncHelper service comes preinstalled on Windows 11, but it will only run if OneDrive is used by user. • Still there is an RPC trigger registered for it, that allows any user to start that service. • It is important to remember that there are a lot of services that only activated once some conditions are satisfied. • Be sure to check Triggers page in System Informer (Process Hacker)

Calling RPC functions and Process Monitor • Calling most of the functions will fail with error 0x80040C97. • In Process Monitor we see following pattern: => LOAD wintrust.dll => READ powershell.exe • This is certificate check on the calling process's binary. • It can be bypassed as we can inject out code into any application (which has correct signature). Only file on disk is usually checked. • We need to disable this check to continue our research.

Certificate check bypass • Attach debugger to privileged RPC server (FileSyncHelper.exe). Set breakpoint WinVerifyTrust and return to user code. • Function name is suggested by debug message: CertVerifier::VerifyMicrosoftTrust • Next function is RpcServerUtil::VerifyProcessTrustByPID • We will patch this one to always return SUCCESS, meaning that our app is valid signed by Microsoft.

Reaching RPC function logic • Correct way to find vulnerability should be investigating server code statically combined with dynamic invoking methods with dummy arguments. But you can always just try to call it with arguments you loke and see what happens! • Most interesting RPC functions are the ones that accept string value. • Since there are only 7 function exposed from which only 3 are accepting string argument, we quickly identified the one that appears to be part of the file path. • $cl.operator__2("\..\..\..\test\asd.txt", 0) • By looking at Process Monitor while trying to guess arguments we notice that is possible to “path traversal” to any file, and if file we pointed to exists, it gets deleted.

Root cause • At this point we go to check RPC server code to see what is going on. • Developers name for the function we called: => PrepareVaultVHD • String argument is named vhdPath and used to call following WinAPIs: => PathFileExitsW(vhdPath) => DeleteFileW(vhdPath)

Hint to locate RPC methods • Search binary for DWORD value 0xE0290363 (which is part of interface GUID we got from NtObjectManager). • Look for second non-zero pointer near the reference you found and follow it. • Here take second pointer from the top, and you get list of function pointers to RPC methods.

Exploitation strategy • There is known method to convert file deletion to code execution: • https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-toescalate-privilege-and-other-great-tricks • Short description: we can abuse Windows Installer Rollback mechanism: • Execute specially crafted *.msi file that waits for some time and triggers error starting rollback. (we can install *.msi that does not require elevation as non administrator) • Before rollback is triggered our exploit deletes C:\Config.Msi folder that was created by windows and contains *.rbs file with instructions on how to rollback currently running *.msi file. • Since folder C:\Config.Msi does not exists anymore, we can create a new one that will have weak permissions allowing us to write into it. • We drop our malicious *.rbs file with rollback instructions to copy arbitrary file to privileged location. • Windows Installer starts rollback with our *.rbs file • Our file deletion exploit can be converted to a folder deletion by using a special path format (NTFS stream): • C:\MyFolder::$INDEX_ALLOCATION • With this we can copy our DLL file to system32, allowing for DLL Hijack on some other services, getting code execution as SYSTEM.

• https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks