Xlab · 2015/08/31 11:50
The author:[email protected]
english version:https://xuanwulab.github.io/2015/08/27/Poking-a-Hole-in-the-Patch/
0x00 The Problem
James Forshaw reported a local privilege promotion vulnerability in Windows Audio Service to Microsoft in November 2014.
The Windows Audio Service manages Audio sessions of all processes in the system. This service stores session parameters to HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig.
To enable low-permission processes to modify audio session parameters, the service recursively sets the ACL of all subkeys to Low IL control during storage.
Setting a symbolic link under this registry key to point to the high registry key may cause the high registry key to become Low IL controllable.
0x01 The Patch
Microsoft issued security bulletin MS14-071 and released patch KB3005607 to fix this vulnerability. This patch adds two functions, SafeRegCreateKeyEx and DetectRegistryLink.
DetectRegistryLink code logic is as follows:
#! c++ int DetectRegistryLink(const HKEY key_handle, const wchar_t sub_key_path[], HKEY * out_handle) { int detect_result = 0; HKEY sub_key_handle; LSTATUS status = RegOpenKeyExW(key_handle, sub_key_path, REG_OPTION_OPEN_LINK, KEY_ALL_ACCESS, &sub_key_handle); if (status ! = ERROR_SUCCESS) { if (status == ERROR_FILE_NOT_FOUND) { detect_result = 3; } else if (status == ERROR_ACCESS_DENIED) { detect_result = 4; } else { detect_result = 5; } } else { DWORD key_type; BYTE data[MAX_PATH * 2]; DWORD data_size = sizeof(data); status = RegQueryValueExW(sub_key_handle, kSymbolicLinkValueName, nullptr, &key_type, data, &data_size); if (((status == ERROR_SUCCESS) || (status == ERROR_MORE_DATA)) && (key_type == REG_LINK)) { detect_result = 1; } if ((status == ERROR_FILE_NOT_FOUND) && (detect_result ! = 1)) { HKEY temp_key_handle; status = RegOpenKeyExW(key_handle, sub_key_path, 0, KEY_READ, &temp_key_handle); RegCloseKey(temp_key_handle); detect_result = (status == ERROR_SUCCESS) + 1; } *out_handle = sub_key_handle; } return detect_result; }Copy the codeDetectRegistryLink makes a strict judgment about symbolic links in the registry. This function handles a variety of cases after opening registry keys using REG_OPTION_OPEN_LINK, including redirecting to nonexistent keys. The registry key handle that is finally opened is reused by the outgoing function.
SafeRegCreateKeyEx calls this function to check before creating the registry key. If it finds a symbolic link to the registry, it deletes it using NtDeleteKey and creates a new registry key using RegCreateKeyEx.
#! c++ HKEY sub_key_handle; int detect_result = DetectRegistryLink(key_handle, kSubKeyPath, &sub_key_handle); if (detect_result == 1) { status = NtDeleteKey(sub_key_handle); RegCloseKey(sub_key_handle); sub_key_handle = nullptr; if (! NT_SUCCESS(status)) { return ERROR_ACCESS_DENIED; } } if (detect_result > 3) { if (sub_key_handle) { RegCloseKey(sub_key_handle); } return ERROR_ACCESS_DENIED; } DWORD create_disposition = 0; if (sub_key_handle) { create_disposition = REG_OPENED_EXISTING_KEY; } else { status = RegCreateKeyExW(key_handle, kSubKeyPath, 0, nullptr, 0, KEY_ALL_ACCESS, nullptr, &sub_key_handle, &create_disposition); if (status ! = ERROR_SUCCESS) { return status; } if (create_disposition ! = REG_CREATED_NEW_KEY) { RegCloseKey(sub_key_handle); return ERROR_ACCESS_DENIED; }}Copy the code0x02 The Flaw
The logic seems rigorous, but there is a serious problem.
After using NtDeleteKey to remove the target registry key, the system is no longer allowed to operate on it. Although open handles remain valid, any action returns STATUS_KEY_DELETED, and only handles can be closed.
After the handle is closed, subsequent operations can only open a new handle using the object name. In this case, the system does not guarantee that the object with the same name is the same object.
With a precise time-lag attack, we can bypass the judgment by creating a symbolic link before RegCreateKeyEx is called.
0x03 The Exploit
Again, we use the IE 11 sandbox as an example of how to exploit this vulnerability to enhance permissions.
In order to meet the utilization conditions, the Windows Audio Service needs to perform deletion actions first.
We can deliberately create a symbolic link under the HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig registry key and trigger a Windows Audio Service write, This leads to deletion logic.
It is important to precisely control when symbolic links are written. Of course we can loop through 100,000 threads and one day it will work. But the system already provides such a trigger.
NtNotifyChangeKey monitors a registry key and sets an event signal when the registry operation we specify occurs.
By setting notifications on symbolic links, we can trigger them as soon as they are removed by The Windows Audio Service, and have a chance to create a symbolic link before the Windows Audio Service creates a new registry key.
Point the symbolic link to a GUID that does not yet exist under the registry key HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy, The REG_CREATED_NEW_KEY judgment is satisfied and the target registry key is successfully created.
Then Windows Audio Service overwrites the security Settings of the target registry key with the security Settings of the upper-layer registry key (PolicyConfig) (Low IL controllable), causing the newly created ElevationPolicy key to be written by the IE sandbox process.
Write any AppPath and set Policy to 0x3 to start any process in the IE sandbox with Medium IL.
0x04 The Trick
Windows Audio Service registry operations are performed after RpcImpersonateClient. Therefore, although the direct operation in the IE sandbox can successfully compete, the registry operation will use the Low IL token of the source process, and the permissions are insufficient.
James Forshaw failed to solve this problem in the original PoC and had to trigger sndvol.exe manually from outside.
To solve this problem, we need to trigger a Medium IL or higher process to use an audio session, which usually only requires the process to sound.
Some processes can be started in the sandbox using Medium IL by default in IE Elevation Policy, including Notepad (notepad.exe). Once the Medium IL process starts, we only have the permission to terminate the process, but we can pass command line arguments when starting the process.
Notepad opens a nonexistent file with a system dialog box asking if you want to create a new file, accompanied by a default system sound. This is enough to trigger Windows Audio Service to write registry keys.
By trying again and again, we can compete again and again to ensure success.
0x05 The Mitigation
Microsoft finally banned the Low IL process from creating registry symlinks completely in an August 2015 patch. When the symbolic link of the registry is set, the kernel uses the RtlIsSandboxedToken function to determine whether the current process token is Low IL or AppContainer, and then returns the denial of access. This prevents any attacks based on symbolic links in the registry from being used in Low IL, so the possibility of exploiting the vulnerability directly in the IE sandbox is completely closed.
0x06 References
Issue 99: IE11 AudioSrv RegistryKey EPM Privilege Escalation – James Forshaw https://code.google.com/p/google-security-research/issues/detail?id=99
Loopholes in the Windows audio service may allow privilege promotion (3005607) https://technet.microsoft.com/library/security/MS14-071
Windows 10 Symbolic Link Mitigations — James Forshaw https://googleprojectzero.blogspot.com/2015/08/windows-10hh-symbolic-link-mitigations.html