Skip to content

Privilege Escalation Bug in Osquery 4.2.0 (windows) via Dll Search Order Hijacking  #6426

Closed
@sailay1996

Description

@sailay1996

Hell osquery team,

As per facebook security team, they (Teddy) recommended to create issue here.

Title
Privilege Escalation Bug in Osquery 4.2.0 (windows) via Dll Hijacking

Vuln Type

Code Execution
Product Area

Open Source (e.g. HHVM)
Description/Impact

Complete Details
[This should be the longest section. Be as thorough and descriptive as possible.]

[
Vulnerability Type: Privilege Escalation via DLL Preloading

DLL: zlib1.dll

Affected process: osqueryd.exe

Attack Vector: local

Description:

When osquery service is start, osqueryd.exe process is tries to load the zlib1.dll from user writeable directories and then drop or create malicious dll to writeable folder (C:\python27).
Reboot (because of osquery service is auto start after rebooting) or restart the service. Malicious dll "zlib1.dll" will be loaded by that osqueryd.exe .
]

Impact
[What is the security or privacy risk to Facebook or its users?]

[Privilege escalation: User can executed as NT AUTHORITY\SYSTEM
This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution as system user.
]

Repro Steps

Setup

OS: [Tested on Windows x64 1909]

Description: [When osquery service is start, osqueryd.exe process is tries to load the zlib1.dll from user writeable directories and then drop or create malicious dll to writeable folder (C:\python27). Reboot (because of osquery service is auto start after rebooting) or restart the service. Malicious dll "zlib1.dll" will be loaded by that osqueryd.exe]

Steps
[Each step should be 1-2 sentences. Having many steps is fine.]
[Ensure each step is clear, concise, and complete]

  1. Filter the processes of osqueryd.exe with procmon (image: osquery1.jpg)
    osquery1

  2. Create custom payload dll (image: osquery2.jpg)
    osquery2

  3. Create batch file to execute which include in payload dll (image: osquery3.jpg)
    osquery3

  4. Then,create or drop payload dll to writable folder C:\python27 (image: osquery4.jpg)
    osquery4

  5. Check the file that doesn't exist by default (image: osquery5.jpg)
    osquery5

  6. Then reboot pc ( It's mean user haven't permission to start service. Reboot since osqueryd service is auto). or restart the service (for testing with admin). After reboot or restart the service, Malicious dll "zlib1.dll" has been loaded and payload will execute. (image: osquery6.jpg)
    osquery6

  7. payload dll executed as a command "cmd.exe /c C:\temp\exec.bat" and batch file executed "whoami" and print out to C:\osquery_EOP.txt (image: osquery7.jpg)
    ![osquery7](https://user-images.githubusercontent.com/16739401/80823583-ebac9200-8c02-11ea-9dc5-c98b77d6bb90.jpg

I hope you to understand about my details steps. Thanks.

With Best,
Sai Wynn Myat.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions