Microsoft Windows Local WebDAV NTLM Reflection Privilege Escalation

2015.03.25
Credit: James Forshaw
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

Windows Local WebDAV NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update, Windows 7 Class: Elevation of Privilege Disclosure Date: 18th March 2015 Reference: https://code.google.com/p/google-security-research/issues/detail?id=222 Summary: A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system. It can also be used to escape application sandboxes if TCP socket access is not blocked. This issue was reported to Microsoft Security Response Center in December 2014. Microsoft have decided not to change the default behaviour to fix this issue, therefore all current Windows client platforms are vulnerable to this privilege escalation unless mitigations are applied. Description: NTLM reflection is a well known issue with Windows authentication. It?s typically abused in networked scenarios to reflect credentials from one machine to another. It used to be possible to reflect credentials back to the same machine but that was mitigated in MS08-068 by not honouring NTLM authentication sessions already in flight. However this did nothing to stop cross-protocol attacks. It?s possible to abuse cross-protocol NTLM reflection to attack the local SMB server by forcing a local system process to access a WebDAV UNC path. The NTLM authentication can then be reflected locally authenticating to the Server service as NT AUTHORITY\SYSTEM. From this it?s possible to elevate privileges by writing files to the admin shares or connecting to the service manager named pipe. This issue is known about and mitigations were created, such as Extended Protection for Authentication. However due to compatibility concerns these mitigations are not enabled by default. As Microsoft will not be issuing a security bulletin for this issue following the mitigation guidance below. Mitigations: By default all Windows client installations are vulnerable. Even though the WebClient service is not started by default it?s possible to start it using service triggers. The recommended fixes for this issue are: * Enable SMB signing, or, * Enable SMB Server SPN verification Please see the following references for more information on the issue and how to configure the mitigations. Security Advisory: https://technet.microsoft.com/library/security/973811 KB Article: http://support.microsoft.com/kb/973811 SMB EPA KB article http://support.microsoft.com/kb/2345886 You can also disable the WebClient service completely, however that only mitigates this specific expression, it might be possible to achieve the exploitation in other ways, such as DCE/RPC. Disclosure Timeline: - 18 Dec 2014: Sent Microsoft details of issue and proof-of-concept - 18 Dec 2014: Received confirmation and MSRC case number 21243 - 20 Jan 2015: Received correspondence from Microsoft detailing their thoughts that it?s a known issue and due to application compatibility concerns mitigations default to off - 20 Jan 2015: Requested clarification on whether Microsoft intended to fix the issue or not - 10 Mar 2015: Notified Microsoft of the upcoming 90 day deadline - 18 Mar 2015: Got final response from Microsoft indicating they would not be fixing the issue and consider mitigations sufficient - 18 Mar 2015: Marked as WontFix and removed view restriction on the issue

References:

https://code.google.com/p/google-security-research/issues/detail?id=222


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top