FULLSHADE (41)
Last Login: May 17, 2020
FULLSHADE's Latest (7) Contributions
Technical Analysis
Overview
A vulnerability was discovered within CyberArk Endpoint Privilege Managers driver (CybKernelTracker.sys). This driver contains a call back functionality that is called every time for an image or a dll to be loaded loaded on the system, this callback allocates non paged pool memory (allocates memory from the kernel pool), and the allocation occurs to copy the image path of the object being loaded, but it does not take into account the buffer size of the path size. By loading an object (image) that is longer than the buffer size, an attacker is able to overwrite part of the kernel non paged pool memory invoking a kernel pool overflow.
This callback routine is not loaded into the system by default, but once installed, successful exploitation of this vulnerability can allow for an unprivileged and non authenticated user to obtain system-level access on the system.
Impact
Including this vulnerable driver on your system can lead to the degradation of your systems security and integrity, the impact risk is very high due to a non privileged user being able to communicate with this driver. Successful exploitation of this vulnerability can allow a user to either escalate their privileges by weaponizing a proof-of-concept, or simply crashing and dosing the system.
Recommended remediation
The recommended remediation and fix for this vulnerability is to update your cyberark software to the latest version, cyberark has responded to this vulnerability and patched it with a newly released version of the updated driver.
Technical Analysis
[edit]
this assessment is covering one of the POC techniques used to exploit the vulnerability, I much prefer the way @bwatters-r7 covers the details of the vulnerability.
This CVE includes an incorrect description (a very weak description that does a poor job of describing the actual vulnerability) please see the sources/citations/original CVE POC postings, I have also reached out to the POC authors.
Overview
A vulnerability was discovered within the Update Orchestrator Service within Windows 10, This service allows for updating and checking for updates on a Windows system. A user has the ability to interact with the service using COM to provide an update scan or to download any pending updates for the system.
This service runs under SYSTEM on the window system, and it tries to load a missing dll. This vulnerability can be classed as a dll hijacking vulnerability, where a user can add the windowscoredeviceinfo.dll To the windows system32 directory, and you can have it loaded by the Uso service to obtain arbitrary code execution at a system level.
After someone with the ability to write to the system 32 directory, either an administrator or a low-level user that has some sort of arbitrary right primitive, a user can then use the command usoclient StartInteractiveScan as a trigger for the vulnerability.
Impact
Successful exploitation of this vulnerability can lead to an unauthorized and unauthenticated user obtaining system-level access in kernel mode on the system. Successful exploitation of this vulnerability can grant a user from a low Integrity standpoint to obtain NT/Authority access.
This vulnerability would allow for the degradation of the integrity and security of the victim’s house system.
A working proof-of-concept for the exploitation of this vulnerability does exist.
https://www.youtube.com/watch?v=ml2feXa6cCY
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668
Recommended remediation
The recommended security remediation for this vulnerability is to follow the provided security updates from Microsoft, and await any sort of patching that your company may push out.
C:\Users\123>sc qc UsoSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: UsoSvc TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Update Orchestrator Service for Windows Update DEPENDENCIES : rpcss SERVICE_START_NAME : LocalSystem
Technical Analysis
Overview
A vulnerability was discovered within the Viper driver RGB version 11, where it did not properly perform input sanitize action against IOCTL 0x80102040 input from user mode. Successful exploitation of this vulnerability leads to the escalation of a user’s privilege, allowing for an unauthorized and unauthenticated user to obtain system privileges. The vulnerability class for this driver CVE is a standard stack-based buffer overflow.
A proof-of-concept does exist, provided by core security, the proof-of-concept is proven to work on a Windows 7 system, porting this vulnerability to a higher version of Windows would require additional security mitigation bypasses.
Impact
Including this vulnerable version of this driver on your system will lead to a degradation of integrity and diminishes all aspects of security for the host. This vulnerable driver allows for an attacker to obtain higher levels of privilege than they’re supposed to have from an unauthenticated standpoint.
Recommended remediation
The recommended remediation for this vulnerability is to update your drivers and to follow any guidelines for updating the software that provides this vulnerable driver.
Technical Analysis
This vulnerability takes advantage of an exposed IOCTL code (0x80112084) within the kerneld.sys driver that’s included within AIDA64. One of the control registers in the x86 instruction set is known as the MSR, the Model specific register is used for debugging, program execution tracing, computer performance monitoring and managing and toggling certain CPU functionality.. This driver instructs a binary to modify this register on the victim system, and successful exploitation of this vulnerability can allow for ring-0 code execution from an unauthorized and unauthenticated user mode standpoint. Successful exploitation of an exposed write WRMSR instruction can give us a pointer overwrite primitive. Because this driver does not appropriately filter access to MSRs which will allow an attacker to overwrite It and our pointer is called in ring-0.
The commonly used technique for this, is an attacked will use this R/W from the physical MSR register, and use that to traverse SYSTEM processes EPROCESS structure for SYSTEM level tokens, and either spawning a new process or swapping the new SYSTEM token with their current processes.
On January 1st FireEye contacted the vendor with disclosure of the vulnerability. And on November 4th, 2019 FireEye verified that the issue was successfully resolved.
The recommended mitigation is to update your current AIDA64 with the latest provided version of the software.
Technical Analysis
This vulnerability takes advantage of a null pointer dereference within the Windows win32k.sys driver, win32k.sys is notorious for including GDI objects and other objects that can be abused and utilized for various types of exploitation. This vulnerability takes advantage of pop-up menu objects, and exploitation of this vulnerability can grant the user system access, AKA Escalation of privilege. This vulnerability displays a menu using the TrackPopupMenu function, And code that is hooked to EVENT_SYSTEM_MENUPOPUPSTART gets executed.
This vulnerability also flips the bServerSideWindowProc bit within the tagWND data structure, Also it utilizes the tagWND structure to leak kernel memory addresses.
This vulnerability seems to be mitigated on the newer versions of windows, within Windows 8.1 with the introduction of various mitigations, null pointer dereference vulnerabilities stopped existing. And on some newer and more previous windows 10 security updates, there have been mitigations to prevent kernel address leakage from the tagWND structure.
Technical Analysis
This vulnerability exploits an integer overflow vulnerability that exists in SMBv3.1.1’s decompression algorithm which is within it’s kernel-mode driver (srv2.sys), srv2!Srv2DecompressData is the routine which is responsible for the decompression of compressed request packets. The successful exploitation of this vulnerability will allow an unprivileged user pre authenticated remote code execution which can grant a system level shell.
The impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system level access in kernel mode. This vulnerability has also been deemed as wormable which makes it a priority for attackers to utilize.
Microsoft has released a patch for this, and everyone should take proper precautions when enabling compression within SMB.
I was way off, thank you for this, I was following a few public POCs to help guide me on some of the details due to the lack of publish details, and it seems my understanding was skewed when I published my initial analysis. My initial analysis ends up covering one of the POCs, and not specifically the vulnerability. Thank you, I will use this to re-do an assessment.