Homemade CVE-2019-1388 binary
Thanks to @Edu_Braun_Secur’s excellent spot and @HexKitchen’s (from @thezdi) delicious blog post [1] the pentesting world was currently gifted with another EoP vulnerability if the target has not applied Windows Updates addressing CVE-2019–1388 [2].
One sentence specifically catched my attention:
[..]The finder of this bug provided us with a copy of an ancient Microsoft-signed executable that has such a certificate[..]
Since I was lazy of finding this specific Binary I tried creating my own and ended up with these Powershell lines (Visual Studio Developer prompt or Windows SDK [3] installed):
These commands create a self-signed Root CA certificate (containing an arbitrary URL), signs a Code Signer certificate with it, converts it to .PFX and imports the “root.cer” into the (unprivileged) users certificate store under “Trusted root certificate authororities” in order to get presented the hyperlink “Show information about this publisher’s certificate” within the UAC prompt. For security reasons you have to click “Yes” :)
Then it signs the arbitrary binary.
Now copy the runme.exe and the root.cer to your target machine. Import root.cer to your current users Trusted Certificate Authorities. Then right click runme.exe and select “Run as Administrator” or simply press CTRL+SHIFT+ENTER. The User Access Control (UAC) should appear.
On moderately modern OS versions (I tested on Windows 10 ) click “Show more Details” to get another hyperlink called “Show information about this publisher’s certificate”. From beloved certificate view switch to the right tab called “Certification Path”. There select the (self-signed) root ca certificate and click “View Certificate”.
Click the blue hyperlink and pop the browser as Mrs. SYSTEM [5].
Final escape can be followed on ZDI’s blog [1] or here [4].
Done.
[1] https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
[3] https://stackoverflow.com/questions/51418366/makecert-exe-missing-in-windows-10-how-to-get-it-and-use-it
[4] https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/
[5] On some tests the Internet Explorer opened on the user desktop (but elevated) instead of the Secure Desktop where the UAC appeared.
