4.6
CVSSv2

CVE-2020-1362

Published: 14/07/2020 Updated: 20/07/2020
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Microsoft Windows could allow a local authenticated malicious user to gain elevated privileges on the system, caused by improper handling of objects in memory by the WalletService. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftWindows 10-, 1607, 1709, 1803, 1809, 1903, 1909, 2004
MicrosoftWindows Server 2016-, 1903, 1909, 2004
MicrosoftWindows Server 2019-

Github Repositories

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit Q4n committed 1b7e89a 5 minutes ago init Git stats 2 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time DLLs init 8 minutes ago POC init 8 minutes ago misc init 8 minutes ago readme.md init 5 minutes ago View code readme.md Exploiting an Elevation of Privilege bugs in Windows 10 (CVE-2020-1362) Exploit memory corruption bug - analysis of CVE-2020-1362 WalletService has fixed Elevation of Privilege bugs in last Patch Tuesday, one of bugs are assigned with CVE-2020-1362. The bug leverage a out-of-bound bug in the service. Here we share our techniques to exploit it. Root Cause Analysis We conducted binary analysis of the following functions in walletservice.dll: Wallet::WalletCustomProperty::SetGroup The SetGroup function wrote a user-controlled data in the memory of user-controlled offset. signed __int64 __fastcall Wallet::WalletCustomProperty::SetGroup(__int64 this, int a2, int a3, int a4) { signed __int64 result; // rax result = 0i64; if ( a2 == 1 ) { if ( a3 & 0xFFFFFFDF ) return 0x80070057i64; } else if ( a3 == 0x20 ) { return 0x80070057i64; } if ( a4 == -1 ) { *(_DWORD *)(this + 8i64 * a2 + 0x74) = 0; *(_DWORD *)(this + 8i64 * a2 + 0x78) = 0x7FFFFFFF; } else { *(_DWORD *)(this + 8i64 * a2 + 0x74) = a3; *(_DWORD *)(this + 8i64 * a2 + 0x78) = a4; } return result; } We can notice that the function do not check the range of the offset that the user can control. So this is where the vulnerability occurs. From out of bounds memory write to WWW (write-what-where) We can now write memory out of bounds. By observing we can find that there is a function to set and get BSTR in the same class: Wallet::WalletCustomProperty::SetLabel Wallet::WalletCustomProperty::GetLabel So we can easily modify the pointer to BSTR through oobw to obtain the ability to read and write any address. From WWW to arbitrary code execution Once we have WWW (write-what-where), we can write vtable of Wallet::WalletCustomProperty objects on the heap to control RIP. At the beginning, we tried to modify it directly with oobw, but we found that oobw was not aligned with 8 bytes. So we have to write twice to achive vtable hijack using race condition. But this may make the exploit unstable. There are some other method to get around this. But in our POC we just use another info leak vulnerability (CVE-2020-1361) to leak the heap address and used www to write the vtable directly. BTW, although CVE-2020-1361 is marked as an info leak vulnerability, it actually can be used to achieve EOP. We will make a writeup for it in future. We found the ATL::CComObject<CDXGIAdapter>::`vector deleting destructor function in dxgi.dll to help us from executing arbitrary functions to arbitrary code execution. This function calls the loadlibraryEx function and takes a global pointer as the first parameter of loadlibraryEx. Then we can achieve arbitrary code execution by loading a custom dll. An example POC is provided in POC directory. Vulnerability Impacts Through the vulnerability, we can achieve privilege elevation from medium to NT AUTHORITY\system. Test in Windows 10.0.18363.815, x64 Credits Haoran Qin Zhiniang Peng of Qihoo 360 Core Security Time Line Apr 10 2020: Vulnerabilities reported Apr 21 2020: MSRC investigated and confirm the bug Jul 14 2020: Patch released Jul 17 2020: Writeup published About writeup of CVE-2020-1362 Resources Readme Releases No releases published Languages C++ 93.5% C 6.5%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit Q4n committed 5b58567 12 minutes ago init Git stats 1 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time exp init 12 minutes ago readme.md init 12 minutes ago View code readme.md CVE-2020-1361 && CVE-2020-1362 writeup 这是我第一次写windows相关的利用, 写这个wp的目的在于记录写这个利用的过程. 过程和代码都比较粗糙 :) 这个洞的利用还是很好写的, 但是没想到撞洞了 _(:з」∠)_ 在7月15日的更新中, 这两个漏洞已经修复. 简介 WalletService(WalletService.dll) 服务的EOP(medium to system) 本机测试的版本当时是 Windows 10,1909.18363.720, 可以影响的版本是10.0.18363.959 之前的版本. insider preview没有测试. 漏洞成因 漏洞的成因非常的简单 Wallet::WalletCustomProperty::SetGroup Wallet::WalletCustomProperty::GetGroup 以上两个函数未进行越界检查, 导致我们可以用低权限进程通过COM调用来越界读写高权限进程(svchost.exe) 的内存空间. 利用思路 因为是写eop的exp, 所以我们是已知动态链接库的地址空间的, windows下的aslr和linux下不一样, 每次开机后, windows的库基址是不变的, 并且所有程序的都相同, 我们可以利用这个特性通过loadlibrary来获得库的基址. 由上面的漏洞, 我们已经可以获得堆越界读写的能力了, 接下来要想办法将越界读写变成任意读写, 这样可以更加方便的写利用. 通过观察可以发现, 同一个类中存在 Wallet::WalletCustomProperty::SetLabel Wallet::WalletCustomProperty::GetLabel 等函数是用来读写BSTR的, 我们可以越界写指向buffer的指针指向任意位置从而获得任意地址的读写, 这样我们基本上不需要堆布局就可以完成. 这里存在一个小问题, 就是因为是用读写BSTR的方式, 所以是存在截断的. 但是对后续利用影响不大, 所以可以忽略. 接下来的思路是写vtable来控制pc, 最开始我的想法是直接写winexec或者system之类的函数直接执行命令, 后来发现是不行的, 在类函数调用时第一个参数为this指针, 因为this指针指向vtable, 所以我们无法控制它的内容. 后来我想到, 能否像条件竞争那样, 一个线程写vtable, 假如在执行到system或者winexec的时候刚好修改了第一个参数的内容, 那么就可以很方便的执行命令了, 但是后来尝试之后, 发现没有一次成功... 所以需要其他办法来写接下来的利用. 接着我去学习了下winpwn, 开阔下视野, 学习了通过找栈来写rop的办法来利用, 但是后来发现在这个环境中不大行得通. 因为在com调用中, mta/nta模型下的com调用的服务端会新启动一个线程来处理的, 而且每次调用的线程基本不相同, 通过找栈来写rop可能可行, 但是几率不大, 假如可行的话也会非常麻烦. 后来想到了一种办法, 既然不能直接执行命令, 那么间接来搞呢? 我们可以通过类似loadlibrary的函数来加载一个dll, 从而在高权限进程执行任意代码. 同时注意到WalletService是有CFG保护的, 所以我们必须需要找到一个合适的函数来绕过CFG, 实现自定义动态链接库的加载, 从而eop. ps: 感觉之前的思路都有些局限在pwn的层面上, 没有注意到实际的利用场景, 后来想到了这次的利用场景是eop而不是pwn, 是可以利用文件的, 之后就有了新的思路. 有了思路接下来就是去尝试了. 从WalletService服务的进程空间查找dll, 通过交叉引用loadlibrary系列的函数, 最后我从direct3d的dll中找到如下函数来调用loadlibrary. dxgi!ATL::CComObject<CDXGIAdapter>::`vector deleting destructor' 调用栈大致如下: LoadLibraryExW CModule::SDKLoadLibraryW CheckDxgiDebugDll CDXGIAdapter::FinalRelease ATL::CComObject<CDXGIAdapter>::~CComObject<CDXGIAdapter> ATL::CComObject<CDXGIAdapter>::`vector deleting destructor' 之后的操作就简单了, 通过任意地址写, 找一个dll的data段写一个fake vtable, 然后设置对应的flag, 调用函数, 加载任意dll, 重写DllMain执行任意代码. 在我的poc中, 一开始是用了nc来测试, 后来进行了一些修改(代码也变得更加乱了), 用命名管道进行通信, 来获得一个交互式shell. ps: 后来去看了看csgo外挂, 了解了下dll注入的那一套, 知道了应该是可以直接由服务进程弹出一个shell的, 不过现在更新了系统就没试了. 而且那样代码应该会非常简洁, poc.exe -> svchost.exe -> mydll.dll -> cmd.exe. 现在是poc.exe -> svchost.exe -> mydll.dll -> mydll.dll.exe -> cmd.exe -> poc.exe 类似这样的一个交互过程. 不过这样有个好处, 就是假如只有一个webshell之类的shell, 获得一个高权限进程的交互式shell是很容易的. 不过话说回来, 已经可以在system权限下执行任意代码了, 要不要交互式shell谁又会去在意呢 :D 总结 这是我第一次整windows相关的内容, 从漏洞挖掘到利用全部写完感觉还是比较爽的, 虽然整个利用看起来比较简单, 但是因为是首次搞, 就不断踩了很多的坑. 和linux比起来, windows的防御机制可以说是比较完善了. 比如说CFG, 在这次利用中CFG坑了我很久, 然后想着如何bypass CFG也耗费了一些时间, 让我在内存空间中遍历了很多的dll, 然后去找loadlibrary函数对应的调用链, 看是否满足CFG的检查并且能够加载任意链接库. 还有com的调用机制, 也花了较多的时间去研究(虽然有的地方还是没整的太明白), 最后终于写了出来整个利用. btw, 这次和大佬撞洞了, 还是有些遗憾的2333. 同时非常感谢咱Kap0k师兄们的帮助 :) 相关链接 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1361 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1362 About writeup of CVE-2020-1361 and CVE-2020-1362 Resources Readme Releases No releases published Languages C++ 93.5% C 6.5%