The cycle of how I find privilege escalation vulnerabilities in Windows applications continues. In the previous series: Steam ( CVE-2019-14743 , CVE-2019-15316 , CVE-2019-17180 ) and Origin ( CVE-2019-19247, CVE-2019-19248 ). But today we will not talk about the game launcher, but about the ABBYY FinerReader application software package.
Summary - I will tell you how, thanks to the component that checks the license, in 10 minutes you can raise your rights from the user level to NT AUTHORITY \ SYSTEM. The vulnerability was assigned the identifier CVE-2019-20383, a link to the ABBYY website .Intelligence service
I downloaded the trial version of FineReader from the ABBYY website and quickly checked it to see if it makes any sense to pick the product to increase privileges. Yes, the product includes a service that, judging by the name "ABBYY network license server", is associated with licenses and is launched by default from the user NT AUTHORITY \ SYSTEM. I started ProcMon started to watch the behavior of the service.My attention was drawn to the file located along the path "C: \ ProgramData \ ABBYY \ FineReader \ 15 \ Licenses \ Licensing.cnt". The service reads something from it, writes something to it, in general, the file looked like an interesting candidate for experiments. Consider the folder "C: \ ProgramData \ ABBYY \ FineReader \ 15 \ Licenses". The inherited All-Full Access ACL from the parent folder (“C: \ ProgramData \ ABBYY \ FineReader \ 15”) is valid for this folder, which means that you can delete all its contents, including the file “Licensing.cnt”.The service, having discovered the absence of the file, tried to create it, and in a slightly strange way. He created a file of the form “tmpXXXX-YYYYYYYYY.tmp”, wrote some data into it, and then renamed it “Licensing.cnt”.Here is the ProcMon log in which this operation is performed twice.
First, it happens at 20:36, and then at 20:46. Between these timestamps, the file was deleted again to be created again.Rectangle 1 indicates the situation when the service has detected the absence of a file. Rectangle 2 - create a temporary file. Rectangle 3 - rename the temporary file. Rectangle 4 - repeat operations after 10 minutes.Consider the format of the name "tmpXXXX_YYYYYYYYY.tmp". As part of one running process, XXXX will always be constant, moreover, in fact, this is the identifier of the thread that performs this work. YYYYYYYYY does not remain constant, but if we look at two neighboring starts (values: 430210515 and 430810515), then it appears that this is just some time mark - the difference between the numbers 600000 - surprisingly coincides with 10 minutes of difference. A few more tests confirm our assumption.To summarize this part. Any user can delete the file "C: \ ProgramData \ ABBYY \ FineReader \ 15 \ Licenses \ Licensing.cnt", then he can very often request the contents of the folder "C: \ ProgramData \ ABBYY \ FineReader \ 15 \ Licenses" in at some point, find there a file called "tmpXXXX_YYYYYYYYY.tmp". Now the user will be prepared, after deleting the file, he will know exactly at what moment and with what name the file will be created next time.Now we will play with symlinks
How to create symlinks without administrator rights, . . , , «C:\abc\1» «C:\def\2».
NTFS reparse point ( NTFS mount point) «C:\abc» «\RPC Control\". «\RPC Control\» – , , , . , , , , . NTFS reparse point , , . - , - .
. "\RPC Control\1" <-> «C:\def\2». , «C:\abc\1», «C:\def\2».
Initially, the process of creating a license file looks like this:
When we know the exact moment of the next such operation, we can create the following symlinks (we will skip the source folder name “C: \ ProgramData \ ABBYY \ FineReader \ 15 \ Licenses \”): Where YYYYYYYYA, YYYYYYYYB, YYYYYYYYC, ... YYYYYYYYYZ - these are different timestamps in the YYYYYYYYYY + 10minutes (in case the timestamp is slightly late). Next, create a link: Note that none of these files really exist. This is necessary so that when referring, for example, to tmpXXXX_YYYYYYYYB.tmp, two redirects occur and, as a result, the service works with the file "C: \ test \ l2 \ nope". As soon as we discover the creation of the file “C: \ test \ l2 \ nope”, we should immediately create two new symlinks:tmpXXXX_YYYYYYYYA.tmp <-> C:\test\l1\proxy
tmpXXXX_YYYYYYYYB.tmp <-> C:\test\l1\proxy
tmpXXXX_YYYYYYYYC.tmp <-> C:\test\l1\proxy
…
tmpXXXX_YYYYYYYYZ.tmp <-> C:\test\l1\proxyC:\test\l1\proxy <-> C:\test\l2\nopeC:\test\l1\proxy <-> C:\test\l2\payload
Licensing.cnt <-> C:\target\pathThe service will continue to write the contents of the file to "C: \ test \ l2 \ nope", but will rename it after passing through the new symlink. Thus, instead of renaming, for example, “tmpXXXX_YYYYYYYYC.tmp” to “Licensing.cnt”, “C: \ test \ l2 \ payload” will actually be renamed (moved) to “C: \ target \ path”. In fact, we can place a file with any content in any path on behalf of the user NT AUTHORITY \ SYSTEM .Schematically, it will look like this:
The color indicates what will actually be performed due to the influence of symlinks.Raising privileges using the resulting primitive is already easy - you can attach your dll to system processes and other similar things. At this stage, I contacted ABBYY representatives and passed them information about the vulnerability.At the moment, according to ABBYY, the vulnerability is closed.Timeline
11/25/2019 - vulnerability detection11/26/2019 - requested security contact from the manufacturer on11/26/2019 - sending a vulnerability report to the manufacturer12/09/2019 - the vulnerability was confirmed by the manufacturer10/01/2020 - the vulnerability was fixedon 01/22/2020 - vulnerabilities were assigned CVE-2019-2038319.02 .2020 - publication of this articleThere are many projects now and we are expanding the “Prospective Monitoring” team. We are looking for experts in the study of source codes, as well as experts in the analysis of mobile applications. Want to join my team - write to me, Anastasia (Ana2121) or by mail info@amonitoring.ruThis article in english.