1. IT-Security >
  2. Cyber Security Nachrichten >
  3. UsoDllLoader - Windows - Weaponizing Privileged File Writes With The Update Session Orchestrator Service

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

UsoDllLoader - Windows - Weaponizing Privileged File Writes With The Update Session Orchestrator Service


IT Security Nachrichten vom | Direktlink: feedproxy.google.com Nachrichten Bewertung


2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview. This means that, although it still works on the mainstream version of Windows 10, you should expect it to be patched in the coming months.

Description
This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo), which was fixed by Microsoft starting from build version 1903.

TL;DR
Starting from Windows 10, Microsoft introduced the Update Session Orchestrator service. As a regular user, you can interact with this service using COM, and start an "update scan" (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called usoclient.exe, which serves that purpose.
From an attacker's standpoint, this service is interesting because it runs as NT AUTHORITY\System and it tries to load a non-existent DLL (windowscoredeviceinfo.dll) whenever an Update Session is created.
This means that, if we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of windowscoredeviceinfo.dll into C:\Windows\Sytem32\ and then have it loaded by the USO service to get arbitrary code execution as NT AUTHORITY\System.
For more information:
Part 1 - https://itm4n.github.io/usodllloader-part1/
Part 2 - https://itm4n.github.io/usodllloader-part2/

Build the PoC

Content
This solution is composed of two projects: WindowsCoreDeviceInfo and UsoDllLoader.
  • WindowsCoreDeviceInfo
It provides a PoC DLL that will start a bind shell on port 1337 (localhost only), whenever the QueryDeviceInformation() function is called. That's the name of the function used by the USO workers.
  • UsoDllLoader (optional)
It's a stripped-down version of usoclient.exe. It can be run as a regular user to interact with the USO service and have it load windowscoredeviceinfo.dll. Then, it will try to connect to the bind shell. In case of errors, please read the "Known issues" section.

Build the solution
The solution is already preconfigured so compiling should be easy. I'm using Visual Studio 2019. It might not work with older versions.
  1. Select Release config and x64 architecure.
  2. Build solution.
  3. Output: the DLL .\x64\Release\WindowsCoreDeviceInfo.dll and the loader .\x64\Release\UsoDllLoader.exe.

Test

Usage 1 - UsoDllLoader
For testing purposes, you can:
  1. As an administrator, copy WindowsCoreDeviceInfo.dll to C:\Windows\System32\.
  2. Use the loader as a regular user.
  3. Hopefully enjoy a shell as NT AUTHORITY\SYSTEM.

Usage 2 - UsoClient
If UsoDllLoader.exe fails, you can do the above manually.
  1. As an administrator, copy WindowsCoreDeviceInfo.dll to C:\Windows\System32\.
  2. Use the command usoclient StartInteractiveScan as a regular user. Note that you won't get any feedback from the command.
  3. Download netcat for Windows and use the command nc.exe 127.0.0.1 1337 to connect to the bindshell.

Known issues
  • Pending updates
This method will probably fail if one or several updates are waiting to be installed, or if updates are being installed.
  • RPC errors
Depending on the version of Windows, UsoDllLoader.exe might fail with various error codes. I didn't investigate these issues too much. The reason for this is that it's only a PoC, which I developped for convenience. What matters the most is the DLL, not the loader. See "Usage 2" for more details.


...

Externe Webseite mit kompletten Inhalt öffnen



http://feedproxy.google.com/~r/PentestTools/~3/avQzkwqCtoU/usodllloader-windows-weaponizing.html

Team Security Social Media

➤ Weitere Beiträge von Team Security | IT Sicherheit

  • UsoDllLoader - Windows - Weaponizing Privileged File Writes With The Update Session Orchestrator Service

    vom 671.81 Punkte ic_school_black_18dp
    2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview. This means that, although it still works on the mainstream version of Windows 10, you should expect it to be patched in the coming months.DescriptionThis PoC shows a
  • warning: file /usr/lib/node_modules/npm/scripts/index-build.js: remove failed: No such file or directory warning: file

    vom 598.88 Punkte ic_school_black_18dp
    Hello everyone , I have to update amazon linux server for partners, I encounter many warnings that there are no files or folders in nodejs like this, will it affect the system? , I think yum update has this warning because it didn't have any files or folde
  • Ubuntu 18.04 hangs on shutdown/restart

    vom 370.71 Punkte ic_school_black_18dp
    I'm running a fresh install of Ubuntu 18.04LTS. When I go to either Power Off or Restart a fresh ubuntu session https://i.redd.it/280ghjkfz7j31.png ​ my computer will freeze for about a 30 seconds until popping up the options to Cancel, Restart, or Po
  • Privateloader Hacxx Mega Release 3 2020

    vom 305.06 Punkte ic_school_black_18dp
    Hacxx Agent + Uploader (RESEARCH)https://www.file-up.org/mzw2j0drgjfh grepWinhttps://www.file-up.org/1vs9dtnpalla/grepWin.exe IPTV Portugal 2020 .m3u8https://www.file-up.org/0u9an4xtlcyr/IPT..._2020.m3u8 PTC Coin Maker V1http://www.mediafire.com/file/v
  • USN-3125-1: QEMU vulnerabilities

    vom 227.14 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3125-1 9th November, 2016 qemu, qemu-kvm vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several sec
  • USN-3125-1: QEMU vulnerabilities

    vom 227.14 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3125-1 9th November, 2016 qemu, qemu-kvm vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several sec
  • Privateloader/Hacxx Mega Release 1 2020

    vom 190.21 Punkte ic_school_black_18dp
    [IP LOGGER] IP2Email Link Generator - Discover a user ip address remotelyhttp://www.mediafire.com/file/658bvnm6h4...erator.rar [Ready to import] xxx trailers & movies Blog in a WXR File (Wordpress file)http://www.mediafire.com/file/v9p9m2vwpn...-01-07.xml [Site] Encurtador de li
  • USN-3261-1: QEMU vulnerabilities

    vom 188.26 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3261-1 20th April, 2017 qemu vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed i
  • TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors

    vom 160.69 Punkte ic_school_black_18dp
    Original release date: April 27, 2017 | Last revised: May 14, 2017Systems Affected Networked Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurri
  • Organizations Failing Painfully at Protecting, Securing Privileged Accounts

    vom 158.17 Punkte ic_school_black_18dp
    Legal Requirement for Cyber Insurance May be Necessary to Protect Privileged Credentials The need to manage privileged accounts is understood by practitioners and required by regulators, but poorly implemented in practice. Eighty percent of organizatio
  • Organizations Failing Painfully at Protecting, Securing Privileged Accounts

    vom 158.17 Punkte ic_school_black_18dp
    Legal Requirement for Cyber Insurance May be Necessary to Protect Privileged Credentials The need to manage privileged accounts is understood by practitioners and required by regulators, but poorly implemented in practice. Eighty percent of organizatio
  • .NET Framework May 2019 Security and Quality Rollup

    vom 154.72 Punkte ic_school_black_18dp
    Today, we are releasing the May 2019 Cumulative Update, Security and Quality Rollup, and Security Only Update. Security CVE-2019-0820 – Denial of Service Vulnerability A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings. An attacker who successfully explo

Team Security Diskussion über UsoDllLoader - Windows - Weaponizing Privileged File Writes With The Update Session Orchestrator Service