LPE in Enterprise Software

so hello everybody my name is Ry mustard um and I work at Orange cyber defense um and this talk is how I found a local previous escalation vulnerability um on an Enterprise laptop so the idea was that I was on an assessment I'm a penetration tester and I was provided um an Enterprise laptop uh as long with a a normal everyday account that didn't really have any real access um and I needed to to obtain local administrative access um effectively um into Authority system so I can do things like disable the EDR and go and use that laptop then to to hack forth into the organization so if you've done this type of stuff before you'll

know that it's often quite hard um I looked for The Telltale normal things that people look for things like uh unquoted service paths and you know missing Windows patches and all that but didn't really find much there um so then I started looking at the enterprise software Okay cool so um what I found out was there was this thing called Spokes updat service.exe and it was running as ENT Authority system um so that's great um I thought maybe I could go ahead and hack this thing it's part of Plantronics Hub so Plantronics is a company um that make headsets these are the Enterprise headss you'll find them in like call centers and stuff like that

um and they're they're fairly well known now Plantronics desktop Hub which is the software that we're seeing on the screen here it's used to manage those headsets um and I I try to think maybe I can you know get system access from it so I Googled spokes update service to see you know what's what um and it shows the results there that it's been hacked about twice before at least so let's go back in time the first time it was hacked was by Marcus Kell and he he really figured out how um this application works specifically the update portion of it so there's two components that you need to be aware of there is Spokes updat service.exe and

then there's PTL hub. exe all right so PTL hub. exe that's what you're seeing on your screen there this is the application that runs as an you know everyday normal user and every now and then it will go out on the internet and try to find an update if it finds an update what it's going to do is it's going to go ahead and download the um update this can be either an MSI or an ex U into some type of temporary directory now remember this is a low privileged user running this application so it can't really execute that update itself um so what it does instead is it writes this magical file called major

upgrade. config to that um direct rever anybody can write that file any user um VI idea here is that in effect within that file you're going to get a oneliner it's a kind of a proprietary format it's a oneliner and it contains the path of that downloaded exe or MSI okay and spokes update service constantly tries to open this file constantly tries to read this file and then goes ahead and um effectively sees if that file exists and if it does it will try and get that path out of it and then execute the uh MSI or exe as ENT Authority system so it's really easy to to exploit this all you do is you write

your own major upgrade. config and you go ahead from there um you write a path in there to a malicious binary of your choice and um spokes update service will effectively just go ahead open up major upgrade config and read that path executed as entry Authority system and you have um system access so it was really easy to exploit this one in the beginning um so Marcus Kell reported this to to poly which is also known as Plantronics which is also known as HP and they acknowledged the bug and released a patch so now we at the second time it's been exploited this is rate Timmy security and they also wanted to obtain anti auor system from the same service

but now there's a bit of a snag it does signature verification so um that means that if the MSI or exe that major upgrade. config points to isn't signed by Plantronics um spokes upd service just won't launch it and they realized this is a time of check time of use vulnerability okay so a time of check time of use vulnerability for those that don't know is effectively um in the context of files um you have an application and that application is going to go and do some type of security check on a file and then later after that security Security check has passed it's going to go ahead and use that security file so in this case the check

is where we check the signature validation and the using as where we go ahead and then execute that MSI or exe now the the bit where there's a vulnerability in is generally there's a Time differential between when the check occurs and when the use occurs a bit of time between the two and then attacker can do something typically modify that file so that it it wouldn't have have um really passed a security check it's done directly after the validation or the the check um but before the use so that it ends up using the malicious file or the modified file in this case what they they realized is that they can go ahead provide a valid MSI that's signed by

Plantronics and you can go and download that from the their website there's a bunch of them um let it pass the secure um the signature verification and then quickly swap it out before it gets executed so that's the idea where you're going to see if they can swap it out with an evil MSI just before um it gets executed now the timing of this is really difficult you need to know when that signature verification is done and in that few milliseconds before it gets executed you need to swap those files so this is quite hard to do um and that's why they call it typically a race condition Okay cool so uh that's a bit

of a problem but they have read the work of James foresaw um who by far is the the MVP of my talk and pretty much everybody's talks that that really works on these type of things these days he had this this gray seminal talk A Link to the Past abusing symbolic links on Windows and I highly recommend you guys um go watch that and he did a bunch of cool things in that talk but one of the things he talked about is how you can use opportun opportunistic locks or op locks um to win these time of check time of used vulnerabilities Okay cool so um what is an oplock is this feature of Windows

where any old process running as a normal user not a admin can go ahead and lock a file so you can say hey I want to put an oplock on a file and that will cause any other process and that wants to access that file to effectively pause until you release that uplock so this does two things it allows us us to pause um an incoming um request to a file giving us some time some leeway to you know do things evil things like modify the file swap out an MSI and so forth um but the second thing it does it gives us a very good indication of timing when we need to do things because it's always a

guess about when you want to exploit you know the the time of check time of use so um this is really quite useful this idea of an opportunistic lock Okay so R to me guys um they realize that they can use this to effectively obtain system access so what they do is they set an opportunistic lock on MSI exe this is the actual exe that goes ahead and launches msis then writes a major upgrade of config pointing towards a valid um MSI signed by Plantronics all right and then they wait to wait for that opportunity lock to be triggered when spokes update servers basically is completed the signature verification and tries to start um Ms IE as soon as you know that

opportunistic lock um triggers you know their exploit gets a ping a call back um and spokes update Services effectiv be paused and in that time they can now do the switch where they switch it out with an evil MSI um now you're past the check right you now effectively the signature verification already done and is now getting to the used part you swap it out quickly um and then you release the op block so it allows us to pause effectively before um swap out and then release and then spokes update service will continue and actually execute the evil MSI so that's the idea here we do a bit of a swap RW um okay so this is is

great news and they obtain um NTI Authority system okay so now it is my turn and I too want to obtain um system and be cool like all these guys um I had a bit of um you know doubts that I will be able to get it right because this is the third time that this thing has been been hacked um but I started investigating it with um good old Bron and gam and I reverse engineered it quite a lot and um there's a few things that have changed um you know you have to make sure that it's now the same product you can't just go download a random MSI that's signed by Plantronics it now has to be the same

pling desktop Hub what you actually have to provide an MSI or exe4 and and the the validation check makes sure that it's still you know it has to come from Plantronics it has to be a newer version as well there other checks and balances but by far the most interesting thing is how they stopped that previous vulnerability where we swapped out the MSI and effectively what they did is they went ahead and first recorded the permissions the file permissions of the installation file and its directory so they have this record of what's going on um what permissions are set on the installation file and its directory the then go ahead and set new permissions um

so the new permissions means that only system can access that file and the directory and then they start the um signature verification process so they go go through the signature verification process but at this point you know we can't swap out the MSI anymore because we can't change um those files because only system can access them all right so that prevents that that way after the ver the verification failed and after you know um the either the verification will fail or the installation will complete but in any case afterwards they will go ahead and restore the permissions so you first record then we set some some new permissions that only system can access it we do the

validation and then afterwards we restore the permissions to what we were on the installation file and the directory okay um so I I hope you can can kind of see what's going on here um I'm going to just presentation is a bit difficult to read but um in the beginning you can see just a process of how this goes there at the top with the first box um we have where spokes update servers reads um major um upgrade. config um so that's where we we've now written um you know a major upgrade. config containing a path to uh installation file then we have in the green box the second one here where where we can see query security file so

we're querying what permissions are set on Plantronics Hub installer and then later you can see we do a set security file that's where we set the new permissions so we first record and then we set the new permission so that only system can access it all right um then just very quickly we do the same thing um for the actual directory that that installation file is in so you can see install files also gives a query and then later a set then in the the box at the bottom you'll see that there's just a bunch of read files this is where we doing the signature verification we're reading through that um installation file um and this

continues over here um until the signature verification is done it fails at this point and now it's restoring it you can see once again we have got two set security files on the installer as well as um the the the directory it contains okay so very quickly um I had this idea you know I'm probably not going to win a way of fudging the the signature checks but I might be able to exploit these this kind of logic that they have where they first go ahead and you know record permissions and then later set it specifically what I wanted to do is I wanted to record LAX permissions on one file very permissive permissions that will write allow me to

override that file and then I want to swap it out so that it restores it on a different file and this will allow me to go ahead and change the permissions of any file on the file system to what I want um this can allow you to obtain ENT Authority system effectively by um going ahead and uh you know changing a binaries permissions um so that um you can override that binary you pick a binary that you know is going to be executed at some point as system and you go override that and you wait until it's executed so that's basically how this would work but effectively how do we do this how do we you know get it

to first record permissions and then later um restore it on a different file so once again we're going to go back to the best guy ever James forel in his talk he also talked about symbolic links okay so if you don't know what a symbolic link is it's basically a special type of file and it allows you to um basically access other files or directories so you can have a symbolic link and it points to another file or another directory it's basically a way to provide you with the ability to access a file using a different file path so it's a different name but it can also be in a different directory um James fora talked about in his talk how

there's a couple of different ways that you can make symbolic links in Windows um so the the straightforward way is the native um NTFS symbolic links but you need to be win um an administrator to actually do do that so it's not very useful uh there's register key symbolic links but that's not useful either for us in this particular context um and then there's directory Junctions directory Junctions are great um anybody can create them a lowlevel user can create them effectively but they're only between two directories you can make a symbolic link between two directories but not between files okay so they're useful but they not really symbolic links in the way that we would like

there to be and then there's object manager symbolic link which allows you to create um symbolic links between object directories so what what on Earth is the object manager within Windows you have um this object manager it basically keeps track of a bunch of resources you know things that are important to Windows like files and seamor it's this lowlevel hierarchy construct it's not part of the file system but um it can include a bunch of different resources and the hierarchy is split up in different kind of like directories so that's kind of useful um you can see there's a couple different ones like RPC control and so forth um so that's more or less the the idea here that is what

the object manage is and the symbolic link um an object manager symbolic link is just a link between these different internal um kind of object directories so James forche in his genius figures out that you can do a couple of cool things about this firstly you can go ahead and create a directory Junction on your file system towards an object directory and the windows object U manager so this allows you to access on your file system um actually the the object um directories it's a very weird concept but allows file system access and the second thing that you can do as an unprivileged user you can go ahead and create these symbolic links these object manager symbolic links um to

object directories and this allows you to go ahead and you know create them in places like RPC control and the third bit of the puzzle here is that you can create object manager symbolic links to point to files so we combine all this together and you get this idea that you can go ahead as an unprivileged user and create what we call gemes for short style symbolic links so the long and short of this if it's a bit too technical is this is a way that you can go ahead and create as an unprivileged user symbolic link in Windows all right um James wasn't done yet um he also did this thing called bet and

switch which is the first thing that we're going to try um effectively what James did is he fought to himself and he realized that he could probably combine his opportunistic locks along with the symbolic links to win these kind of like time of check time of use vulnerabilities especially when it relates to a file so the idea is that typically what you're going to get get with these vulnerabilities is a process that opens a file Twice first to check it and then secondly to um actually use it so the first time okay so we're going to give a a James for style symbolic link to this application right but the first time we want that symbolic link to

point towards what we call the bait file the bait file is a valid file it's going to pass a security check and then we set also an oplock on the bait file that means that we're going to get a pink back in our process when the the actual um application that we're going to um exploit or try to exploit has accessed that bait file this gives us that signal information that timing information to know now is the time to switch SIM links so we destroy our current Sim link um delete it recreate it with the same name but effectively at that point now pointing towards the the malicious file file number two also called The Switch

so this is what the ba and switches we first provide a valid file um we set an oplock we wait for you know that oplock to Ping and then we do the switch to get it to cause it to go to a malicious file so the first time the application opens up a file is going to be successful everything is going to be good um it's going to pass a security check and then we quickly swap it out all right so that is the the BET and switch now we're going to get to our first attack with all this in mind we're going to go ahead and use beton switch to um try and exploit um spokes update service our use

is a bit different we don't need to pass a check here the first time that this file kind the application opens up our symbolic link what's going to happen is it's going to go and record permissions so that's what we're going to do we're going to provide in our first symbolic link um basically make it Point towards an installation directory a very permissive permissions and directly after that we're going to wait for that oplock to trigger we're going to swap it over and um and we're going to make sure that um it restores the permissions then on a Target file all right so that's more or less the idea once again what we're doing here is we're just

trying to override the permissions of another file um so I'm going to skip this in interest of time and just go ahead and show you the demo if if everything works

correctly okay um apologies for the resolution can you guys see that okay um I just need to go to the beginning okay here we go okay so we're going to start off this is Plantronics Hub um installer this is our installation file and you can see very um lacks permissions everybody can overwrite this file um pretty much anybody in world we have an empty directory this is where our symbolic link is going to go um you need an empty directory to use James for style symbolic links um and now we're going to open up major upgrade. config and you'll see there is our effective um symbolic link so we we're pointing towards um empty dur and then sim. exe that's where

our symbolic link is going to be okay we have the ba and switch application that you just can download from the internet and we have our Target wordpad which um we're going to go look at the permissions now and you'll see effectively that uh it's really locked down the only guys that can actually write to it is um trusted installer okay uh now we're going to go have a look at procmon this is just going to record stuff for us what happens because it's a bit difficult to understand and so you can see there I turn it on and con constantly spokes update service is trying to read major upgrade. config just constantly trying to read that I'm clear that now we're

going to try and run this exploit all right so it's time uh we type in B and switch we press enter um so there's a a different few um things here the first is just the name of sim link we've already given you that that's sim. exe and that mty directory Target one is going to be our installation file that's where we're getting our permissions Target Two is going to be but the actual place that we want to override it where it's going to be restored on that's going to be word.exe and then we've got our share modes we're just going to use an exclusive lock which means that any access will will trigger the

uplock um so I'm going to go I guess ahead and make some typing mistakes and oh no okay I guess I didn't um there you go that's basically the the same syntax that you get the idea um so symbolic link um exe and then Plantronic have installer and and then wordpad and an X for exclusive lock we're going to press enter and the first thing you're going to see is just how um I believe the repass point also known as The Sim link is going to be set okay now we're going to the directory the magical directory where we're going to go copy U major upgrade. config and that's going to start um the spokes update service

off and as soon as we do that you'll see there we've got a ping back from an oplock saying hey um something tried to open up um you know our bait file and now it's switched so it switched from the one to the other one and now it's pointing towards word pad. exe so this is very quick and it's not really a good way of explaining what's going on so let's going to look at um just proon uh initially you'll see there it's trying to read um and then successfully reads major upgrade. config that's where we spoke update service starts okay next next up is going to try and access our symbolic link symbolic link gets passed

and now the symbolic link is the the full path Plantronics up Hub update installer and that's the the second one there now you can see that um the actual uplock triggered um and in beton switch we go ahead and close our uplock allowing you know the security permissions of that file to be read so that's the next one query security permissions um but because the uplug is triggered we now switch over the Sim link so we we've switched over the Sim Link at point now it points to wordpad so it tries to do a validation on word um like um basically it's recorded the permissions there of Plantronic um Hub installer and it's going to try and you know validate

wordpad but that's just going to fail so here it's opening up the second time um and you can see that now resolves to word.exe so when we get to set um security file a bit later you'll see that it now is going to go and set the security permissions on word.exe instead of restoring them on the original fonics Hub

installer okay um we're going to go ahead and then just look at wordpad Doe's um permissions and you'll see now after all of this that we now have the ability and everybody has the ability to override that file everybody has now right access to it [Applause] file all right you guys make me feel bad for clapping now because you don't you don't know what's going to happen next yeah in the real world uh [Music] Defender uh luxus so uh yeah uh there's not a a lot of good reasons to make James um you know foral style symbolic links there there's no real other use case for it except exploiting your privileges um so um edrs and Defender and everybody else

is going to basically block this um which is a problem um and this is now kind of the Crux of the the talk is the new kind of technique that I've developed hopefully um this will be useful as well it's not a super fancy technique but I did find that it was useful for at least bypassing edrs so instead of James foral style symbolic links what we're going to do is we're going to make use of directory Junctions so we're going to have a chain we're going to have two directory Junctions now remember what a directory Junction is is just a Sim link to a directory it's only two directories and any user can make them the nice thing about

direct Junctions it's native Windows functionality it's never going to be you know picked up by EDR as weird and we're going to chain two Junctions together so it's going to be a junction to a junction to a directory Okay so we've got our entry Junction and then our exit Junction and we're going to go ahead and switch out the exit Junction so um during the signature devation process we're going to go ahead and you know first um the exit Junction is going to point to the B directory with our normal installation file where we get the permissions from and then during the signature verification we're going to go ahead and swap it out so it points to

the directory of our Target file so this is just another way sort of of of switching out everything but that's more or less the the idea here um okay so there you can basically think of as like a tunnel that just changes it end um it's quite useful why do we we need um two of these like why do we have an entry and an exit Junction if I remember correctly the directory also gets locked down so if we provide our Sim link um or or path of a SL link with our entry Junction um effectively what's going to happen is um ponics the spokes update service will set system permissions on the entry Junction so we won't be able

to delete that one um but the exit Junction is going to remain unaffected so that's why we have two of them the first um you know Junction is really just there to soak up those permission changes okay um the problem that typically around in with um you know doing this approach is that directory Junctions are only two directories you don't know that file information file name information so how do we control that well we just go ahead and rename our installation file remember we provide our installation file um uh in major upgrade. config so we can rename it to be something like for instance word.exe in the beginning when our um exit Junction points towards

you our bait directory um it's going to you know be able to access it because we've renamed our installation file to the Target and when we do this switch as well later on when the directory points towards that Target file um it's all going to work out well so this is just a way to basically control um you know that file information now this is all cool and well and we've been talking for a while but so far we've only changed permissions of files and so how do we actually system like I mentioned before if you can override the permissions of um any old file on a system you can just do it to a particular um application

that you know will be executed a system and windows are full of them um so you override the permissions of an application that will later be called a system and then you go ahead and um you know override it with a malicious binary however um I didn't really want to do this because it may cause some you know instability in the system I was reverse engineering um spokes update service when I realized there's a condition that will get spokes update service to go ahead and call PLT Hub as system so that's more or less the the idea here and that's what we're going to try and do um we are going to create this magical file called scheduled

updates. Json um and once we do that it will cause spokes update servers to go ahead and launch a PLT Hub as exe as um an authority system um the idea here then is that we're going to first override PLT hub. exe with a malicious binary so this is more or less how just that that format look it was quite hard to figure that format out but this is now our full attack we first going to go ahead change the permissions of PLT hub. exe um without directly chaining attack then we're going to override PLT Hub the ex a malicious binary of our choice and then we're going to invoke it and basically basically as system by writing scheduled

updates. Json to start it off okay um and now it's time for the second

demo okay so here we go um uh we once again have platonics Hub installed ah we have lonic Hub installed and um we're going to look at the permissions now remember this is p hub. exe this is our Target when we go look at it you'll see the permissions once again um it is very locked down uh users can't write to it so we want to be able to change it so that we can override it so here we're going to go ahead now and look at our installation file once again very lacks permissions on our installation file um everybody can overwrite it that's where our information comes from and now we have our exploit which I wrote

and then we have a payload now the payload here is a very simple payload um it's just going to create a new admin um so now I'm going to show you just that there's nothing under the hood um I'm going to run net user to show you that there's new no um admins called new admin so you can see there's just administrator and user there and that's basically what's going to happen at the end of this um presentation is we're going to see a new us it pop up okay so this is our exploit it's going to take a couple of things in firstly the um path to our installation directory um so you can see there and

then secondly the path to our payload and then the small sleep duration which I just found useful to make sure that everything is um it's good it's not really recommended I think we we sleep for like 500 milliseconds um so it's not that that hard okay so we ran it and now we're going to do a couple of things just explaining what happened we first created a directory called siming one and then siming 2 and then a bait directory then we made a junction from siming one to siming 2 and then from simming two towards bait so this is our directory chain here so they all kind of all point now to each other in a nice

chain um and then we copy over the installation file we're going to give a new name now we're going to recall it now to PTL hub. exe to the BET directory um so now I'm just visually show you once again just how all this looks um first I'm going to go ahead and show it to you in um CMD just make sure everybody gets it there we have um sink one and siming one is pointing to you know siming two so the directory Junction one is our entry Junction is pointing to sink two and then siming two which is our exit Junction is pointing towards the bait directory that's where our of valid file is and if we go now to sim link one you

can physically see PTL hub. exe there that is our installation file it's also in the bay directory and it's also in simp to so we're all just forming a chain at the moment okay um next up we created an opportunistic lock so we're going to go and look at that now so that whenever somebody tries to change the permissions of some link one which we know our process will do it's going to give us ping back and that will be our trigger to know we need to switch over um effectively to the the ex Junction so that now points towards the target directory we then go ahead and invoke all of this by right our major upgrade. config and we are

using Sim link one PTL Hub that is the kind of like destination um and there we see you know we got our ping back it says Hey the uplock is triggered and we're just waiting for me to press enter here and to start with actual

chain all right this is once again just a a proon view of of what actually is happening you can see there we we create our um directory Junction Sim link one and Sim link two and then you can see there um we just copying over the exploit is just copying over Plantronics Hub installer now calling it PTL Hub inside the beta directory that's just a copy it takes a while then we go ahead and write um major upgrade. config and you can see then directly after that um spokes update server starts and it reads major upgraded config and it's going to try and query the security permissions of our bait file and then it's going to set you know

permissions on vbit file so it's now restricted so we've recorded it we've restricted it and now it's trying to restrict the directory and other way that's when our uplock triggers okay directly after that we're now going to press enter that's going to release the uplock and the rest of the exploit is going to go

ahead okay cool um so very quickly it says it's waiting for that installation validation process to start now because we've released the oplock and then we've swapped out the directory chain in the middle of this validation process you'll see we're just swapping out it so that it points to a another place so here is the validation process just really starting off you can see that we've released the uplock and now um it's just starting with the validation process that's all the read files there and in the middle of all of this is our exploit changing that um symbolic link you can see that we delete a repass point which is our directly Junction and then we recreate

so we're deleting that ex Junction recreating it so it now points towards our um Target directory and that means when later it tries to restore the prions it's not going to restore it on the installation file it's actually going to go ahead head and restore it on PTL hub. exe which we'll see in a

second so it just finishes the signature verification that fails and now it restores it you can see the querium then the set um and now it's setting on PTL hub. exe which means we've successfully kind of overwritten you know um those

permissions yeah um here we go and you can see yay everything is now writable so now our user can overr it now we're going to go back and um overwrite PT hub. exe with um a malicious binary of our choice um this is our payload which is going to go and create a new user and there we say we just press enter um so what's going to happen here we're going to do two things we're going to override pil hub. exe with malicious binary that's going to create a new user and directly afterwards we're going to write scheduled updates tojson which going to start PTL Hub um as

system okay um so it's done it and now we're just waiting for scheduled updates to effectively um be read so this is going to take a few seconds but you can see there we've written um basically override read payload we overrided there to PTL hub. exe and there we go ahead and write scheduled updates so now we're just waiting a few seconds for scheduled updates to go ahead and Trigger um sometimes it takes 2 minutes but in this this case it will take a few

seconds

yeah there you go so it is um effectively read by spokes update service and there you can see the creation of a new process for PTL Hub as into Authority system meaning that our payload has now been executed um so now we're going to go ahead and just look to see if there is a new user and we type in net user as before you'll see there's now a new admin and if we type in that local group administrators you'll see that he is part of the administrators [Applause] group y um so I disclosed this to um Plantronics and HP it was a slightly painful process um but uh long and short is it that they have released a pack p

and they acknowledged it relas the patch um they haven't made it public yet um we've given them sort of um indication that we will be talking about it today and we released a temporary cve for it but um they are going to uh publicly you know disclose it with us it is agreed upon so we're not just dropping zero days here um but it's most importantly it is patched okay um so takeaways um last slide effectively symbolic links are great um if you really want to get into all this stuff go and watch the talks of James for show and a bunch of other talks it came up after him it talks about how you can kind of exploit this

the problem these days that we have however is James for sure style symbolic links are getting picked up by edrs and Defenders and stuff like that and in some cases you might be able to use my directory chain technique um to buy pass this it depends on effectively how it works um your particular application you want to exploit but chaining two directories together just using directory Junctions might be your solution and it's unlikely that's ever going to you know trigger and an EDR anything like that because it is just native Windows functionality okay cool um opportunistic locks are great for making sure that you get some timing information as well as allowing you to pause an incoming application and so

that you can do some malicious activities and that's more or less the main takeaways here um one last thing is that you can keep in mind that um know file permission changes actually affect the Junctions and not the directly that the junction points towards and took me a while to realize but the the actual um Junctions themselves can soak up permission changes for you and that's more as it and thanks for listening and I hope you enjoyed [Applause] it