SandboxEscaper / PoC-LPE: What's Inside?

On Habré there is already news about this vulnerability , but, unfortunately, without technical details. I suggest to look inside the published archive (author - SandboxEscaper ).

Under the cut is a translation of the document description, located in the archive.

Vulnerability description

The Task Scheduler service (task scheduler) has an RPC interface (accessible via the ALPC transport), which supports the SchRpcSetSecurity method.

This is the prototype of this method:
')

long _SchRpcSetSecurity( [in][string] wchar_t* arg_1, //Task name [in][string] wchar_t* arg_2, //Security Descriptor string [in]long arg_3); 

Tasks created by the task scheduler create the corresponding directory / file in c: \ windows \ system32 \ tasks. Probably, this method is intended for recording DACL tasks located there. But recording will occur after impersonation. However, for some reason, the method implementation also checks for the presence of the .job file in c: \ windows \ tasks and writes the DACL to it without impersonation . Since a user (even a user in a group of guests) can create files in this directory, we can simply create a hardlink to any other file accessible to us for reading. Using this hardlink, we can force the scheduler service (executing with SYSTEM rights) to write an arbitrary DACL (see the second parameter SchRpcSetSecurity) to a file of our choice.

Thus: for any file readable, you can change the DACL, which allows you to completely overwrite it.

Exploitation of Vulnerability

This vulnerability gives us a really strong primitive! The main problem is that after installation (by default), many important files can be modified only by the TrustedInstaller user (but not the SYSTEM user).

The archive contains a powershell script for listing files that you can control. Just run:
./enumerate.ps1 >output.txt

There are many goals in the system. You can control the Program Files and, if your target file is used by an administrator / other user, the files you have overwritten can be run with the required privileges.

The second problem is that although we can gain control over multiple files, writing them to them is often impossible, because these DLLs are already loaded somewhere for execution. Attempting to write a DACL for a loaded file will result in a shared access error. But the vulnerability can also be used for other types of files that may be a better target than a DLL.

For operation, the selected file is C: \ Windows \ System32 \ DriverStore \ FileRepository \ prnms003.inf_amd64_4592475aca2acf83 \ Amd64 \ printconfig.dll (the directory name may differ, this is taken into account in PoC). It looks like this file belongs to the XPS printer and is not uploaded to the print service by default (it may happen that the file will already be loaded ... but more often it is not).

And when we run a print job using an XPS printer, the service will load this DLL, which we can rewrite. Such an attack vector (hijacking) can be easily applied for something better. I can try to find the best options ... just let me know.

Note : On the old laptop, where Windows 10 has been running for several years, there are two prnms003.inf_amd64_ * directories. The new version does not remove the old one, which means there is no guarantee that FindFirstFile (used in PoC) will find the current directory. Therefore, you can expand the code by overwriting all found printconfig.dll or check the attribute of the last entry in the file and select a new one.

Demo

In the archive you can also find a video with a demonstration: