Description
Hell osquery team,
As per facebook security team, they (Teddy) recommended to create issue here.
Title
Privilege Escalation Bug in Osquery 4.2.0 (windows) via Dll Hijacking
Vuln Type
Code Execution
Product Area
Open Source (e.g. HHVM)
Description/Impact
Complete Details
[This should be the longest section. Be as thorough and descriptive as possible.]
[
Vulnerability Type: Privilege Escalation via DLL Preloading
DLL: zlib1.dll
Affected process: osqueryd.exe
Attack Vector: local
Description:
When osquery service is start, osqueryd.exe process is tries to load the zlib1.dll from user writeable directories and then drop or create malicious dll to writeable folder (C:\python27).
Reboot (because of osquery service is auto start after rebooting) or restart the service. Malicious dll "zlib1.dll" will be loaded by that osqueryd.exe .
]
Impact
[What is the security or privacy risk to Facebook or its users?]
[Privilege escalation: User can executed as NT AUTHORITY\SYSTEM
This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution as system user.
]
Repro Steps
Setup
OS: [Tested on Windows x64 1909]
Description: [When osquery service is start, osqueryd.exe process is tries to load the zlib1.dll from user writeable directories and then drop or create malicious dll to writeable folder (C:\python27). Reboot (because of osquery service is auto start after rebooting) or restart the service. Malicious dll "zlib1.dll" will be loaded by that osqueryd.exe]
Steps
[Each step should be 1-2 sentences. Having many steps is fine.]
[Ensure each step is clear, concise, and complete]
-
Filter the processes of osqueryd.exe with procmon (image: osquery1.jpg)

-
Create batch file to execute which include in payload dll (image: osquery3.jpg)

-
Then,create or drop payload dll to writable folder C:\python27 (image: osquery4.jpg)

-
Check the file that doesn't exist by default (image: osquery5.jpg)

-
Then reboot pc ( It's mean user haven't permission to start service. Reboot since osqueryd service is auto). or restart the service (for testing with admin). After reboot or restart the service, Malicious dll "zlib1.dll" has been loaded and payload will execute. (image: osquery6.jpg)

-
payload dll executed as a command "cmd.exe /c C:\temp\exec.bat" and batch file executed "whoami" and print out to C:\osquery_EOP.txt (image: osquery7.jpg)
