More Than a Penetration Test (Microsoft Windows CVE-2019–1082)

Michał Bazyli

When Penetration Test became something more.

During one of penetration tests me and Jakub Pałaczyński had chance to dug into Windows Server 2016 and WSUS environment. We have tested some common techniques for privileges escalation however it is really difficult to find some misconfigurations on freshly installed stable system with all updates.

The main goal of the test was to check the WSUS updates functionality on the system and whether there is a possibility of exploitation. A common technique used to investigate loading behavior on Windows is to use SysInternals Process Monitor to analyze how a process behaves when executed. After running some system updates through WUSU we found that update launched binary called DismHost.exe with the highest level of privileges on the local system (NT AUTHORITY\SYSTEM).

A couple months after reporting this vulnerability I found article https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ about UAC Bypass with similar functionality as DismHost.exe but it was lunched only with elevated/high integrity privileges.

Lets dig into logs:

After running updates for several times via WUSUS and grinding with ProcMon we found that during update DismHost.exe is being copied to C:\Windows\Temp\{GUID} and it is looking for some dll’s that are missing.

Because all system users has write access to the Windows %TEMP% directory, it is possible to copy dll’s to Windows %TEMP%, which could lead to DLL injection and be loaded by dismhost.exe.

Exploitation was really difficult in this one because it was race condition to win with DismHost.exe.

After the closer examination, we chose PEProvider.dll to be loaded.

To increase our winning chance we have used SetOpLock.exe https://github.com/googleprojectzero/symboliclink-testing-tools

and set Oplock on one of resources that dismhost.exe used before loading PeProvider.dll.

Once DismHost.exe load our .dll it will load it as NT AUTHORITY\SYSTEM which is highest privileges on system.

This situation also happens when:

-adding and removing features (tested on Windows Server 2016)

-“Windows Defender Verification” task (default task enabled on clean Windows installations) — this one was found to be run periodically but this task has no triggers. I suppose it is run as a part of “Automatic Maintenance”. (tested on Windows Server 2016)

-during updates but not all (tested on Windows Server 2016)

Original screen form exploitation:

Jakub Pałaczyński wrote excellent PoC for this and maybe it will be available sometime in the future :)

ps: Twitter https://twitter.com/pun1sh3ll

Michał Bazyli

Written by

https://twitter.com/pun1sh3ll

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade