Lucene search

K

Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation

šŸ—“ļøĀ 16 Apr 2019Ā 00:00:00Reported byĀ Google Security ResearchTypeĀ 
exploitdb
Ā exploitdb
šŸ”—Ā www.exploit-db.comšŸ‘Ā 46Ā Views

LUAFV driver cache and memory manager poisoning Privilege Escalatio

Show more
Related
Code
ReporterTitlePublishedViews
Family
0day.today
Microsoft Windows 10 1809 LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation
16 Apr 201900:00
ā€“zdt
Microsoft CVE
Windows Elevation of Privilege Vulnerability
9 Apr 201907:00
ā€“mscve
Check Point Advisories
Microsoft Windows LUAFV Elevation of Privilege (CVE-2019-0805)
9 Apr 201900:00
ā€“checkpoint_advisories
Symantec
Microsoft Windows LUAFV Driver CVE-2019-0805 Local Privilege Escalation Vulnerability
9 Apr 201900:00
ā€“symantec
Prion
Privilege escalation
9 Apr 201921:29
ā€“prion
Prion
Privilege escalation
9 Apr 201921:29
ā€“prion
Prion
Privilege escalation
9 Apr 201921:29
ā€“prion
Prion
Privilege escalation
9 Apr 201921:29
ā€“prion
Prion
Privilege escalation
9 Apr 201921:29
ā€“prion
Prion
Privilege escalation
9 Apr 201921:29
ā€“prion
Rows per page
Windows: LUAFV Delayed Virtualization Cache Manager Poisoning EoP
Platform: Windows 10 1809 (not tested earlier)
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary

Summary: 

The LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to EoP.

Description:

NOTE: This is different from issue 49895, that opens a backing file which could be overwritten as it wasnā€™t opened with the correct permissions. This issue instead replaces the cache data for an existing system file. Also note the additional section at the end which describes how this issue also causes a Bug Check. Iā€™m not convinced itā€™s exploitable so Iā€™m not reporting it separately.

The LUAFV driver supports many normal file operations to make virtualization as seamless as possible. This includes supporting memory mapping the file. When using delayed virtualization the driver allows mapping the original file read-only (as a data section or image section) without automatically creating the file in the virtual store. This trick is achieved by copying the real fileā€™s SECTION_OBJECT_POINTERS (SOP) pointer from the file object opened in LuafvDelayOrVirtualizeFile to the top-level ā€œvirtualā€ file object. 

When creating a new section for a file object the kernel calls MiCreateImageOrDataSection. After checking some parameters it calls MiCallCreateSectionFilters. This is important for virtualization as this results in calling LuafvPreAcquireForSectionSynchronization in the LUAFV driver. If that function detects that the caller is trying to map the section writable then LuafvPreWrite is called which will complete the delayed virtualization process, and will update the SOP pointer of the ā€œvirtualā€ file to the newly created backing file. If the file is not being mapped writable then the LUAFV driver leaves the SOP pointing to the ā€œrealā€ file.

MiCreateImageOrDataSection then checks whether the SOP::DataSectionObject CONTROL_AREA is populated. If not the kernel calls into MiCreateNewSection to setup a new one otherwise itā€™ll try and reuse the existing one which is present in the ā€œvirtualā€ file. If a new CONTROL_AREA is created it contains a reference to the ā€œvirtualā€ file, not the underlying system file. This control area gets written into the SOP structure of the ā€œvirtualā€ file, which when performing a read-only mapping results in writing to the SOP structure of the underlying ā€œrealā€ file. 

The SOP structure is the responsibility of the filesystem driver, so when opening an NTFS file itā€™s the NTFS driver which allocates and sets up this pointer. However the contents of the structure are the responsibility of the cache manager. In order to support sharing mappings, especially for image mappings, the NTFS driver ensures that the same file in a volume returns the same SOP structure even if the FILE_OBJECT pointer is different. This is where the bug lies, perhaps itā€™s easier to explain how to exploit this:

1) Open a file for read/write access which will be delay virtualized. For example a file in system32 which isnā€™t owned by TrustedInstaller.
2) Create a read-only section based on the virtualized file. As this is read-only the LuafvPreAcquireForSectionSynchronization function wonā€™t complete the delayed virtualization. Do not map the section.
3) As long as the file doesnā€™t already have a DataSectionObject entry (likely if the fileā€™s never opened/read from) then a new CONTROL_AREA is created, backed by the ā€œvirtualā€ file.
4) Now cause the delayed virtualization process to complete, by sending an FSCONTROL code. The ā€œvirtualā€ file is now backed by a file in the virtual store which can be modified by the user, and the ā€œvirtualā€ fileā€™s SOP is replaced accordingly. However the DataSectionObject in the ā€œrealā€ fileā€™s SOP still refers to the virtual file. Now when reading data from the ā€œrealā€ file handle (even one opened directly without virtualization) the cache manager reads page contents from virtual store file, not the real file.

Once youā€™ve replaced a system file you can get direct EoP by replacing with the contents with a  PE file which can be loaded using services such as the ā€œDiagnostics Hub Standard Collector Serviceā€ which Iā€™ve detailed before. This works because the exploit has replaced the cache for that file and as its shared between all FILE_OBJECT instances (at least until the cache cleans it up) then the image section is created backed on the cached data. The replaced file contents will be also be returned for direct reads, the file doesnā€™t have to be mapped to return the poisoned cache data.

One limitation to this vulnerability is you canā€™t extend the length of the file, but there are suitable files in system32 which can contain a suitably small PE file to perform the full exploit. Note that it also doesnā€™t really overwrite the file on disk, instead it poisons the cache with the wrong backing file. After a reboot the file will be back to normal, even if the cache is flushed back to disk (perhaps a privileged process opened the file) Iā€™d expect the new data to be flushed back to the store file not the ā€œrealā€ file.

Fixing wise, one way you could go would be to always virtualize the file when mapped as a section regardless of the requested access. However I canā€™t be certain thereā€™s not another route to this which could be exploited, for example just reading from the file might be sufficient to poison the cache if done at the right time.

These operations canā€™t be done from any sandbox that I know of so itā€™s only a user to system privilege escalation. 

ADDITIONAL NOTE:
As the FILE_OBJECT canā€™t be completely locked across all the file operations the kernel makes use of Auto Boost to lock certain structures such as the SECTION_OBJECT_POINTERS and CONTROL_AREAs. The LUAFV driver doesnā€™t know anything about this so itā€™s possible to get delayed virtualization to complete from another thread in the middle of section creation resulting in mismatched pointers and ultimately a bug check. The easiest way to achieve the bug check is to map a virtualized file as an image with the Microsoft Signed mitigation policy enabled. If the file isnā€™t correctly signed then it will cause the section creation to fail, but after the CONTROL_AREA has been setup. As itā€™s possible to oplock on the kernel opening catalog files the delayed virtualization process can be completed at the right moment resulting in a lock mismatch when tearing down the setup CONTROL_AREA.

I canā€™t really tell if this is exploitable or not (Iā€™m siding with no), but as itā€™s related I thought I should report it to ensure what ever fix for the current issue covers this edge case as well, or at least doesnā€™t make it work. Iā€™ve provided a kernel crash report ā€œadditional_crash.txtā€ with this report, and I can provide a PoC if required.

Proof of Concept:

Iā€™ve provided a PoC as a C# project. It will poison the cache for the file license.rtf in system32 with arbitrary contents. Note it uses a hardlink to virtualize the file, but it doesnā€™t have to as it could open the system32 file itself. Itā€™s just done as it was easier to test this way and doesnā€™t impact the exploit. Also note that if the license.rtf file has been opened and the cache manager has created an entry then the exploit fails. In theory this would be deleted eventually (perhaps only under memory pressure), but a quick reboot usually fixes it unless your system opened license.rtf everytime the system starts.

1) Compile the C# project. Itā€™ll need to pull NtApiDotNet from NuGet to build.
2) As a normal user run the PoC. 
3) Open the file %WINDIR%\System32\license.rtf in notepad to see the contents.

Expected Result:
The license.rtf file contains the original RTF contents.

Observed Result:
The virtualization poisoned the contents of license.rtf with a new text string.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46717.zip

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactĀ us for a demo andĀ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
16 Apr 2019 00:00Current
7.4High risk
Vulners AI Score7.4
46
.json
Report