LUAFV driver cache and memory manager poisoning Privilege Escalatio
Reporter | Title | Published | Views | Family All 66 |
---|---|---|---|---|
0day.today | Microsoft Windows 10 1809 LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation | 16 Apr 201900:00 | ā | zdt |
Microsoft CVE | Windows Elevation of Privilege Vulnerability | 9 Apr 201907:00 | ā | mscve |
Check Point Advisories | Microsoft Windows LUAFV Elevation of Privilege (CVE-2019-0805) | 9 Apr 201900:00 | ā | checkpoint_advisories |
Symantec | Microsoft Windows LUAFV Driver CVE-2019-0805 Local Privilege Escalation Vulnerability | 9 Apr 201900:00 | ā | symantec |
Prion | Privilege escalation | 9 Apr 201921:29 | ā | prion |
Prion | Privilege escalation | 9 Apr 201921:29 | ā | prion |
Prion | Privilege escalation | 9 Apr 201921:29 | ā | prion |
Prion | Privilege escalation | 9 Apr 201921:29 | ā | prion |
Prion | Privilege escalation | 9 Apr 201921:29 | ā | prion |
Prion | Privilege escalation | 9 Apr 201921:29 | ā | prion |
Windows: LUAFV Delayed Virtualization Cache Manager Poisoning EoP
Platform: Windows 10 1809 (not tested earlier)
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
Summary:
The LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to EoP.
Description:
NOTE: This is different from issue 49895, that opens a backing file which could be overwritten as it wasnāt opened with the correct permissions. This issue instead replaces the cache data for an existing system file. Also note the additional section at the end which describes how this issue also causes a Bug Check. Iām not convinced itās exploitable so Iām not reporting it separately.
The LUAFV driver supports many normal file operations to make virtualization as seamless as possible. This includes supporting memory mapping the file. When using delayed virtualization the driver allows mapping the original file read-only (as a data section or image section) without automatically creating the file in the virtual store. This trick is achieved by copying the real fileās SECTION_OBJECT_POINTERS (SOP) pointer from the file object opened in LuafvDelayOrVirtualizeFile to the top-level āvirtualā file object.
When creating a new section for a file object the kernel calls MiCreateImageOrDataSection. After checking some parameters it calls MiCallCreateSectionFilters. This is important for virtualization as this results in calling LuafvPreAcquireForSectionSynchronization in the LUAFV driver. If that function detects that the caller is trying to map the section writable then LuafvPreWrite is called which will complete the delayed virtualization process, and will update the SOP pointer of the āvirtualā file to the newly created backing file. If the file is not being mapped writable then the LUAFV driver leaves the SOP pointing to the ārealā file.
MiCreateImageOrDataSection then checks whether the SOP::DataSectionObject CONTROL_AREA is populated. If not the kernel calls into MiCreateNewSection to setup a new one otherwise itāll try and reuse the existing one which is present in the āvirtualā file. If a new CONTROL_AREA is created it contains a reference to the āvirtualā file, not the underlying system file. This control area gets written into the SOP structure of the āvirtualā file, which when performing a read-only mapping results in writing to the SOP structure of the underlying ārealā file.
The SOP structure is the responsibility of the filesystem driver, so when opening an NTFS file itās the NTFS driver which allocates and sets up this pointer. However the contents of the structure are the responsibility of the cache manager. In order to support sharing mappings, especially for image mappings, the NTFS driver ensures that the same file in a volume returns the same SOP structure even if the FILE_OBJECT pointer is different. This is where the bug lies, perhaps itās easier to explain how to exploit this:
1) Open a file for read/write access which will be delay virtualized. For example a file in system32 which isnāt owned by TrustedInstaller.
2) Create a read-only section based on the virtualized file. As this is read-only the LuafvPreAcquireForSectionSynchronization function wonāt complete the delayed virtualization. Do not map the section.
3) As long as the file doesnāt already have a DataSectionObject entry (likely if the fileās never opened/read from) then a new CONTROL_AREA is created, backed by the āvirtualā file.
4) Now cause the delayed virtualization process to complete, by sending an FSCONTROL code. The āvirtualā file is now backed by a file in the virtual store which can be modified by the user, and the āvirtualā fileās SOP is replaced accordingly. However the DataSectionObject in the ārealā fileās SOP still refers to the virtual file. Now when reading data from the ārealā file handle (even one opened directly without virtualization) the cache manager reads page contents from virtual store file, not the real file.
Once youāve replaced a system file you can get direct EoP by replacing with the contents with a PE file which can be loaded using services such as the āDiagnostics Hub Standard Collector Serviceā which Iāve detailed before. This works because the exploit has replaced the cache for that file and as its shared between all FILE_OBJECT instances (at least until the cache cleans it up) then the image section is created backed on the cached data. The replaced file contents will be also be returned for direct reads, the file doesnāt have to be mapped to return the poisoned cache data.
One limitation to this vulnerability is you canāt extend the length of the file, but there are suitable files in system32 which can contain a suitably small PE file to perform the full exploit. Note that it also doesnāt really overwrite the file on disk, instead it poisons the cache with the wrong backing file. After a reboot the file will be back to normal, even if the cache is flushed back to disk (perhaps a privileged process opened the file) Iād expect the new data to be flushed back to the store file not the ārealā file.
Fixing wise, one way you could go would be to always virtualize the file when mapped as a section regardless of the requested access. However I canāt be certain thereās not another route to this which could be exploited, for example just reading from the file might be sufficient to poison the cache if done at the right time.
These operations canāt be done from any sandbox that I know of so itās only a user to system privilege escalation.
ADDITIONAL NOTE:
As the FILE_OBJECT canāt be completely locked across all the file operations the kernel makes use of Auto Boost to lock certain structures such as the SECTION_OBJECT_POINTERS and CONTROL_AREAs. The LUAFV driver doesnāt know anything about this so itās possible to get delayed virtualization to complete from another thread in the middle of section creation resulting in mismatched pointers and ultimately a bug check. The easiest way to achieve the bug check is to map a virtualized file as an image with the Microsoft Signed mitigation policy enabled. If the file isnāt correctly signed then it will cause the section creation to fail, but after the CONTROL_AREA has been setup. As itās possible to oplock on the kernel opening catalog files the delayed virtualization process can be completed at the right moment resulting in a lock mismatch when tearing down the setup CONTROL_AREA.
I canāt really tell if this is exploitable or not (Iām siding with no), but as itās related I thought I should report it to ensure what ever fix for the current issue covers this edge case as well, or at least doesnāt make it work. Iāve provided a kernel crash report āadditional_crash.txtā with this report, and I can provide a PoC if required.
Proof of Concept:
Iāve provided a PoC as a C# project. It will poison the cache for the file license.rtf in system32 with arbitrary contents. Note it uses a hardlink to virtualize the file, but it doesnāt have to as it could open the system32 file itself. Itās just done as it was easier to test this way and doesnāt impact the exploit. Also note that if the license.rtf file has been opened and the cache manager has created an entry then the exploit fails. In theory this would be deleted eventually (perhaps only under memory pressure), but a quick reboot usually fixes it unless your system opened license.rtf everytime the system starts.
1) Compile the C# project. Itāll need to pull NtApiDotNet from NuGet to build.
2) As a normal user run the PoC.
3) Open the file %WINDIR%\System32\license.rtf in notepad to see the contents.
Expected Result:
The license.rtf file contains the original RTF contents.
Observed Result:
The virtualization poisoned the contents of license.rtf with a new text string.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46717.zip
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactĀ us for a demo andĀ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo