Local Privilege Escalation
CVE-2019-16896
Affected Products
K7 Ultimate Security version 16.0.0117 (could affect up to and including 16.0.0120; unverified by vendor and I lost the snapshot for that version :( )
Vulnerability Type
Improper Access Control
Impact
Arbitrary File Write
Summary
The backup module improperly validates the administrative privileges of the user, allowing an arbitrary file write via a symbolic link attack with file restoration functionality.
Exploitation
Prerequisite condition: An existing backup set already exists (can this be bypassed?).
- Create a folder on the desktop and then drop a payload file into the new folder (this example will use
C:\Users\Standard-User\Desktop\bad\payload.exe), - Open the K7 GUI in a debugger,
- Place a breakpoint on DLL load of
K7BKCExt.dll, - Open the back up window on the GUI,
- Click "Manage Backup",
- On the breakpoint of
K7BKCExt.dll, place another breakpoint onOpenBackUpMainWindowexported function of the loaded DLL, - Continue the debugger until it stops at the
OpenBackUpMainWindowbreakpoint, - Place a breakpoint on the offset
0xA901fromK7BKCExt.dllbase address, - Continue the debugger until it hits the breakpoint at function
0xA901, - Return outside of the function to the
test eax, eaxinstruction, - Modify
eaxfrom0to1(bypass administrative check), - Continue the debugger,
- On the back up window, select "Create new Backup Set",
- Add the file
C:\Users\Standard-User\Desktop\bad\payload.exefor backup, - Returning back to the "Manage Backup" window, select to "Run Backup Now" on the newly created backup set,
- Close the K7 GUI to release the
C:\Users\Standard-User\Desktop\bad\payload.exefile handle, - Delete
C:\Users\Standard-User\Desktop\bad\payload.exefrom the disk, - Use the "CreateSymlink.exe" tool on the command line:
CreateSymlink.exe C:\Users\Standard-User\Desktop\bad\payload.exe C:\Windows\System32\payload.exe, - Open the debugger and readd the
K7BKCExt.dllbreakpoints mentioned above (on the first instruction ofOpenBackUpMainWindowand on function0xA901), - On the breakpoint of
OpenBackUpMainWindow, modify the fifth parameter from0to1, - Continue until the breakpoint in function
0xA901, - Return outside of the function
0xA901to thetest eax, eaxinstruction, - Modify the
eaxfrom0to1, as done previously, - Continue the debugger to open the "Restore files" window,
- Select the newly created backup set,
- Select the backed up file
payload.exe, - Select "Original Location",
- Restore the file,
- The file should now be written to the
C:\Windows\System32folder.