Windows 8.1 (32/64 bit) – Privilege Escalation

J0hn.X3r / / Exploits

Ahoi,

auch wenn es etwas verspaetet kommt (da davon vor ein paar Tagen berichtet wurde), moechte ich der Sache dennoch einen eigenen Blogeintrag widmen. Wie die meisten vermutlich mitbekommen haben, hat das “Google Sicherheitsteam” eine Luecke in Windows 8.1. gefunden, mit der es u.a. moeglich ist, Prozesse als Administrator auszufuehren, ohne einer zu sein. Die Luecke befindet sich in einer Funktion (NtApphelpCacheControl) in der Datei ahcache.sys, die nicht richtig ueberprueft, ob der User ein Administrator ist.

James Forshaw hat die Luecke am 30. September 2014 an Microsoft gemeldet und ihnen eine Frist von 30 Tagen gegeben, die Luecke zu schließen. Da dies nicht geschehen ist, hat er die Luecke am 29. Dezember 2014 hier veroeffentlicht: https://code.google.com/p/google-security-research/issues/detail?id=118

Platform: Windows 8.1 Update 32/64 bit (No other OS tested)

On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.

This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.

It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse.

It’s unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.

The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I’d recommend running on 32 bit just to be sure. To verify perform the following steps:

1) Put the AppCompatCache.exe and Testdll.dll on disk
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
3) Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll”.
4) If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.

Ein Proof of Concept ist auf der Quellseite verfuegbar, einen Mirror gibts auch hier.

Ich kann dazu nur sagen, dass es auf meinem eigenen System funktioniert hat. Getestet auf Windows 8.1 64bit – jedoch erst beim zweiten Ausfuehren.

37 Replies to “Windows 8.1 (32/64 bit) – Privilege Escalation”

  1. wen wohl da microsoft ne offene tür hinterlassen hat ist ja wohl klar
    jedoch haben sie es warscheinlich nicht von google erwartet 😉
    da google auch mit nsa kooperiert.

    cYa BUSTER

  2. Pingback: free no deposit bonus casino cashout real money
  3. Pingback: best online casino real money florida
  4. Pingback: celebrex tablets a comprehensive view
  5. Pingback: buy lamictal 100mg
  6. Pingback: ondansetron prices
  7. Pingback: naltrexone buy canada
  8. Pingback: can i buy lipitor from canada
  9. Pingback: olanzapine 2023
  10. Pingback: 2 claritin pills
  11. Pingback: where to buy tadalafil 20mg
  12. Pingback: cialis daily tadalafil 20mg price best
  13. Pingback: what is the cost of a 20 mg cialis pill in london
  14. Pingback: where can i buy topamax
  15. Pingback: where is the cheapest place to buy omeprazole
  16. Pingback: tadalafil 20 mg dr reddy
  17. Pingback: cheapest place to buy januvia
  18. Pingback: buy diltiazem online
  19. Pingback: amlodipine
  20. Pingback: crestor
  21. Pingback: buy cheap neurontin
  22. Pingback: lasix
  23. Pingback: generic voltaren
  24. Pingback: flomax capsules tablets
  25. Pingback: when do allegra pills expire
  26. Pingback: prednisolone 20mg
  27. Pingback: buy generic synthroid online
  28. Pingback: vardenafil zhewitra-20 vs cialis
  29. Pingback: nexium discount card
  30. Pingback: where to buy singulair no prescription
  31. Pingback: order depakote online
  32. Pingback: where to buy cialis cheap
  33. Pingback: discount coupons for levitra
  34. Pingback: wholesale cialis suppliers
  35. Pingback: buy viagra quebec
  36. Pingback: buy tadalafil 20mg price
  37. Pingback: tadalafil 20 mg cost walmart

Leave a Reply

Your email address will not be published. Required fields are marked *