Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Local Privilege Escalation

CVE-2019-16896

Affected Products

K7 Ultimate Security version 16.0.0117 (could affect up to and including 16.0.0120; unverified by vendor and I lost the snapshot for that version :( )

Vulnerability Type

Improper Access Control

Impact

Arbitrary File Write

Summary

The backup module improperly validates the administrative privileges of the user, allowing an arbitrary file write via a symbolic link attack with file restoration functionality.

Exploitation

Prerequisite condition: An existing backup set already exists (can this be bypassed?).

  1. Create a folder on the desktop and then drop a payload file into the new folder (this example will use C:\Users\Standard-User\Desktop\bad\payload.exe),
  2. Open the K7 GUI in a debugger,
  3. Place a breakpoint on DLL load of K7BKCExt.dll,
  4. Open the back up window on the GUI,
  5. Click "Manage Backup",
  6. On the breakpoint of K7BKCExt.dll, place another breakpoint on OpenBackUpMainWindow exported function of the loaded DLL,
  7. Continue the debugger until it stops at the OpenBackUpMainWindow breakpoint,
  8. Place a breakpoint on the offset 0xA901 from K7BKCExt.dll base address,
  9. Continue the debugger until it hits the breakpoint at function 0xA901,
  10. Return outside of the function to the test eax, eax instruction,
  11. Modify eax from 0 to 1 (bypass administrative check),
  12. Continue the debugger,
  13. On the back up window, select "Create new Backup Set",
  14. Add the file C:\Users\Standard-User\Desktop\bad\payload.exe for backup,
  15. Returning back to the "Manage Backup" window, select to "Run Backup Now" on the newly created backup set,
  16. Close the K7 GUI to release the C:\Users\Standard-User\Desktop\bad\payload.exe file handle,
  17. Delete C:\Users\Standard-User\Desktop\bad\payload.exe from the disk,
  18. Use the "CreateSymlink.exe" tool on the command line: CreateSymlink.exe C:\Users\Standard-User\Desktop\bad\payload.exe C:\Windows\System32\payload.exe,
  19. Open the debugger and readd the K7BKCExt.dll breakpoints mentioned above (on the first instruction of OpenBackUpMainWindow and on function 0xA901),
  20. On the breakpoint of OpenBackUpMainWindow, modify the fifth parameter from 0 to 1,
  21. Continue until the breakpoint in function 0xA901,
  22. Return outside of the function 0xA901 to the test eax, eax instruction,
  23. Modify the eax from 0 to 1, as done previously,
  24. Continue the debugger to open the "Restore files" window,
  25. Select the newly created backup set,
  26. Select the backed up file payload.exe,
  27. Select "Original Location",
  28. Restore the file,
  29. The file should now be written to the C:\Windows\System32 folder.