More Than a Penetration Test (Microsoft Windows CVE-2019–1082)

When Penetration Test became something more.

During one of penetration tests me and Jakub Pałaczyński had chance to dug into Windows Server 2016 and WSUS environment. We have tested some common techniques for privileges escalation however it is really difficult to find some misconfigurations on freshly installed stable system with all updates.

The main goal of the test was to check the WSUS updates functionality on the system and whether there is a possibility of exploitation. A common technique used to investigate loading behavior on Windows is to use SysInternals Process Monitor to analyze how a process behaves when executed. After running some system updates through WUSU we found that update launched binary called DismHost.exe with the highest level of privileges on the local system (NT AUTHORITY\SYSTEM).

A couple months after reporting this vulnerability I found article about UAC Bypass with similar functionality as DismHost.exe but it was lunched only with elevated/high integrity privileges.

Lets dig into logs:

After running updates for several times via WUSUS and grinding with ProcMon we found that during update DismHost.exe is being copied to C:\Windows\Temp\{GUID} and it is looking for some dll’s that are missing.

Image for post
Image for post

Because all system users has write access to the Windows %TEMP% directory, it is possible to copy dll’s to Windows %TEMP%, which could lead to DLL injection and be loaded by dismhost.exe.

Image for post
Image for post

Exploitation was really difficult in this one because it was race condition to win with DismHost.exe.

After the closer examination, we chose PEProvider.dll to be loaded.

To increase our winning chance we have used SetOpLock.exe

and set Oplock on one of resources that dismhost.exe used before loading PeProvider.dll.

Once DismHost.exe load our .dll it will load it as NT AUTHORITY\SYSTEM which is highest privileges on system.

This situation also happens when:

-adding and removing features (tested on Windows Server 2016)

-“Windows Defender Verification” task (default task enabled on clean Windows installations) — this one was found to be run periodically but this task has no triggers. I suppose it is run as a part of “Automatic Maintenance”. (tested on Windows Server 2016)

-during updates but not all (tested on Windows Server 2016)

Original screen form exploitation:

Image for post
Image for post

Jakub Pałaczyński wrote excellent PoC for this and maybe it will be available sometime in the future :)

ps: Twitter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store