Windows Defender Elevation Of Privileges Vulnerability
Well first of all why?
Cause Microsoft stopped their shitty bug bounty program for windows eop bugs so I don’t have any interest to report them to the vendor
In the last decade I was looking for windows defender bugs but I was just spending time I thought MS just made the perfect av, until I saw this
However, this is the description From Microsoft:
The guy who’s acknowledged is usually disclosing his bugs so I was waiting for him this time to see if I can bypass the security patch.
and then he posted his article so when I read his write up it seemed bypassable to me (if you’re reading this it4mn THANK YOU !).
Let’s get into the bug, on a default configuration there’s a file in c:\windows\temp\mpcmdrun.log this file is used for event logging that happen in mpcmdrun.log process, which runs in the context of the local system (highest privileges that exist on windows), as it4mn said when the log file should reach 16,777,216 bytes (16MB) in order to trigger the bug let’s thing on process monitor, you can download it here
Okay Let’s try to reproduce the bug
Let’s see what happens on procmon
As you can see the patch seems to be working as it supposed to be, you can see the MpCmdRun.exe handling the junction with GENERIC_ALL access and then he execute the control code FSCTL_GET_REPARSE_POINT and FSCTL_DELETE_REPARSE_POINT both result in success, the get reparse point control is simply check if the directory is a reparse point but the control code delete reparse point will attempt to convert the junction mpcmdrun.log.bak to a directory then it proceeds to delete it. Seems to be patched correctly! but there’s still something wrong with the patch, what if we created a junction inside the mpcmdrun.log.bak ? ex: mpcmdrun.log.bak\test, let’s check it out
It worked we now have an arbitrary file deletion issue in windows defender.
Okay let’s do some more damage, let’s go for a system shell
NOTE: this method will work on windows 10 only
Let’s see what privileges are given to MpCmdRun.exe we can inspect them in process explorer
It seems look like mpcmdrun is child process from MsMpEng.exe which is actually the AV
Let’s check the AV:
It ran in the context of NT AUTHORITY\SYSTEM but what about other privileges in the token ?
The
SeRestorePrivilege seems to be enabled this happen because of the inherit token of MsMpEng.exeThis seems to be destructive, this privilege will allow its owner to delete any file even if it isn’t allowed to do so the ACL.
In this case we will have the ability to hijack a service which we will target the Windows Media Player Network Service which is by default located on
C:\Program Files\Windows Media Player\wmpnetwk.exe, this file is protected by NT SERVICE\TRUSTEDINSTALLER this mitigation protected such folders from being deleted from a privileged process (such as administrators or SYSTEM) and then here’s the roll of having the SeRestorePrivilege Enabled this will allow us to bypass this mitigation so we can clean the entire directory C:\Program Files\Windows Media Player, However the Windows Media Player Network Service is on demand service start in windows 10 and it’s ACL allow INTERACTIVE group to start it we can inspect such services detail in process hacker
Those are some good info so if we have the ability to recreate
C:\Program Files\Windows Media Player directory we can hijack the service with a malicious one, luckily and a big thanks to jonasLyk for providing a technique to allow arbitrary directory creation from an arbitrary file deletion you can see the article here
The technique is simple if we deleted the entire C:\ProgramData\Microsoft\Windows\WER directory, the windows error reporting tool will recreate it for us and then create C:\ProgramData\Microsoft\Windows\WER\Temp allowing authenticated Users to have write&delete access on both WER and Temp directories
which will allow user to abuse the Temp folder creation by creating a reparse point from C:\ProgramData\Microsoft\Windows\WER to \RPC CONTROL\ and then creating a symlink from \RPC CONTROL\Temp -> C:\Program Files\Windows Media Player so as soon we rerun the scheduled task \Microsoft\Windows\Windows Error Reporting\QueueReporting the C:\Program Files\Windows Media Player folder will be created with new rights allowing authenticated user to write on it so we can write a payload and then start the service the only problem we will have is the gained privileges
As you can see here we aren’t running as NT AUTHORITY\SYSTEM instead the service is ran as NT AUTHORITY\Network Service this service account doesn’t have full control over the system which is an issue we can easily address, Thanks again to it4mn for his awesome blog about elevating from network service to system you can find it here
You can find the PoC here it’s a chained one so it’s supposed to spawn a system shell when it succeed
NOTES
- exploiting the issue will take up to 35min according to clement we need to fill
mpcmdrun.logwith 16.5mb data in order to trigger the issue. - the Poc will work only on windows 10 and I didn’t tested on windows server.
and lastly Shootout To @jeff