Menu

Improved exploit search engine. Try it out

"Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation"

Author

SandboxEscaper

Platform

windows

Release date

2019-05-22

Release Date Title Type Platform Author
2019-06-14 "Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow" local windows "Nipun Jaswal"
2019-06-13 "Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation" local windows PovlTekstTV
2019-06-11 "ProShow 9.0.3797 - Local Privilege Escalation" local windows Yonatan_Correa
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-06-07 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)" local windows SandboxEscaper
2019-06-03 "Nvidia GeForce Experience Web Helper - Command Injection" local windows "Rhino Security Labs"
2019-06-04 "DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)" local windows "Kevin Randall"
2014-11-24 "Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)" local windows anonymous
2019-05-30 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service" dos windows n1xbyte
2019-05-28 "Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass" remote windows "Faudhzan Rahman"
2019-05-23 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)" local windows SandboxEscaper
2019-05-29 "Free SMTP Server 2.5 - Denial of Service (PoC)" dos windows "Metin Yunus Kandemir"
2019-05-27 "Pidgin 2.13.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46917/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46917/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46917/41334/microsoft-windows-x84x64-error-reporting-discretionary-access-control-list-local-privilege-escalation/download/", "exploit_id": "46917", "exploit_description": "\"Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation\"", "exploit_date": "2019-05-22", "exploit_author": "SandboxEscaper", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
EDIT: Apparently this was patched earlier this month.. so whatever.

Windows Error Reporting Arbitrary DACL write

It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there's too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help. 

I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn't even sure if I could ever exploit it at all. 

I don't see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a "rand()" function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.

Overview:

1. We turn c:\programdata\microsoft\windows\wer\reportqueue into a junction point to c:\blah 

2. In c:\blah we create a folder named 1_1_1_1_1, and inside we dump a .wer file and another file called test

3. We trigger the WER reporting queue task

4. When the service tries to write a DACL we delete the file "test" after it calls GetSecurityFile on it and replace it with a hardlink, on which the service will call SetSecurityFile.

Bug description:

The WER service will try to delete both files while not impersonating when we trigger the reporting queue task. It does extensive testing against junctions.. so we cannot abuse that.

However it will write a DACL to both files, to ensure that SYSTEM has the "delete" right over them. The way this works is in two steps:

1. It calls GetFileSecurity and gets a security descriptor (or whatever the technical name is)

2. It adds some stuff to the security descriptor so SYSTEM has delete rights, and then writes it back to the file using SetFileSecurity

It also closes file handles between both function calls which is convenient.

This means that if between both function calls we plant a hardlink.. it will first get the security descriptor from a normal file which authenticated users can write to. It will then copy these permissions, and applies this security descriptor to a hardlink pointing to an entirely different file.

The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue. 

A succesful run will look like this. You can see the hardlink being created after the QuerySecurityFile and before SetSecurityFile.

You can also ofcourse look in IDA (wer.dll) and confirm there. The vulnerable function is: UtilAddAccessToPath

Steps to reproduce:

1. Copy AngryPolarBearBug.exe and report.wer into the same folder

2. Run AngryPolarBearBug.exe

After many long minutes it should stop and c:\windows\system32\drivers\pci.sys should now by writeable from non-admin.

Again.. I have only tested this on both my VM and host, I don't even know if the random delay range will work on other hardware setups (it basically tries to bruteforce the correct timing).. so I hope you can repo it.

EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46917.zip