Finding Privilege Escalation with Procmon

all right welcome back everybody sorry ooh I love to see everybody mingling and talking that's exactly why we're here so we're also here for this we're here for so many things so we go Dave yes I'm learning and we're gonna learn now from Beth the privilege escalation with proc mom take it away Butler yeah talk about finding privilege escalation with a process monitor just quickly talking about myself I'm a pen tester I work in the garo live here in Oslo and honestly I'm too young to understand why Windows does anything of what it does like loading a DLL from current working directory that sounds reasonable to me and who would even need a folder called

aux I don't know so I got a Twitter and I got a blog like most people here so let's just get started so first of all how many hair of yous process monitor before it's quite a lot alright I hope I'm gonna teach you something new here I'm gonna go through what it is anyway for those who haven't used it or not familiar with it it's it's basically a it's a monitoring tool for monitoring calls to our monitoring axises and and a api's events regarding registry file network process lifetime and profiling I'm mostly going to talk about the file events because the registry part is is it's not easy to find vulnerabilities using process monitoring registry we're

not gonna talk some about another program that can be used for it anyhow this is how it runs when when you started you got the name of the process doing the event and then you got the operation of the event it's it's important to note that this it says create file hair what it means is create a file handle to a file so that might be a file most of the time I see this is for files that already exist so it's creating a file handle to write to the file or read it or write add attributes or or whatever you need a file handle to do something with a file then you got the path this what this will always be

the absolute path to file on the file system so we'll never be a relative path and then we got the result of the event if it was a successful event or as in this case it says name not found so it rides a VM Tools D tried to create a file the file was not found and so it's his name not found so this in this case a VM Tools D it expected the file to exist already and that's why it says create file and name not found which could make no sense at all but but it's the create file handle so it might also create a file but you can go into the details of

the file of the event and you'll see if what kind of accesses they want ever wants to create the flour or or just read it yeah these are some convenience filters for for filtering out other types of events like registry network processed lifetime profile etc I wouldn't use this for seeing most of the networking things because you'd use Wireshark with some similar tool instead and process lifetime we don't really care about too much because it's it's pretty obvious when a process is changing or restarting or or whatever you can go into the details of these events and you'll see more details about the the explicit operation so in this case you'll you'll see what kind of

access it wants and the other options that you might have for it there's a process tab for for looking at the process that sparked the event seeing the loaded dll's and and other convenient formations you have and then there's this you can even see the stack trace leading up to that event so for those not familiar with a stack trace it's it's basically what kind of functions you went through in a program to get to that events that led up to that event so it goes all the way through to to actually the the kernel stuff going on there it's it's very useful to have in some cases you can also do boot logging with with the

process monitor it's very helpful for for logging every event from this start of a machine and it's very convenient if you if you don't know exactly what kind of service you're looking for so you can always always see all the services instead of having to restart all the services I would consider disabling antivirus scanning for for getting some smaller log files cuz I always have a tendency to scan all the files in your system creates quite big big lock files yeah so what are we looking for in these kinds of easy and these kinds of logs well we're looking for for stuff like this where it's path not found and you can see that this is

some program that is trying to open sea open SSL open SSL CNF the the Padma found here means that the path that it tried to open does not exist while name not found means that the path existed but the file did not exist in the path so we can create that we can create that directory at C normal users have the the access to create directories and the sea route but they can't create files in the sea route and we're looking for for stuff like this there's a name not found for DLL in this case we're looking for for stuff where we're a program is inadvertently trying to do something and and something else happens right because

the developer did not mean to look for system interrupts DLL and system DLL in this case the developer actually tried to look for system interrupts without DLL and the space makes this turn into system interrupts of DLL and system DLL for some reason so Windows already and and it indicates that you can somehow maybe you can influence the program to do a different make a different path or a different DLL or they're actually looking for a DLL and a folder you control

alright are we looking for stuff like this set security file I'm gonna go more into how do you use this but it's it's very recently this has been able to be abused there's actually a pretty recent vulnerability privileged exploration vulnerability in Windows where sense security file was was being abused by by an attacker this is a unquoted service path it's an example of that and how you would how you would see that in process monitor there are simpler ways to find unquoted service path realm abilities but this is how you recognize it in process monitor I think it's it's helpful to recognize that if you see it in passing you might not always be looking for these kinds of

vulnerabilities and this is a case of DLL search order hijacking where it's trying to open a DLL from current working directory I'm gonna go more into the details of these things I'm just showing you now B before we get to them these might not always be privileged escalation cases but they mean you can probably exploit this in a different kind of sense either send someone a malicious payload or whatever so let's go into these paths and files Padma found a name not found if we if we find these in a oh it's important to note by the way that we're looking for for behavior from a program running a system so if we can influence these

programs running a system then we we might find a way to exploit this most of the time if you find path not found a name not found that's not on purpose that means you can somehow influence that program and if these if Padma found and name not found is in a user writable folder then we struggled in this kind of exploiting the file type will will will the exploit will depend on what kind of file type you're finding or what it's expecting and and what kind of program is running the the code not always will this be exploitable of course so here's some examples the in the open SSL config file if we find this and we can create

an open SSL config file then we should also be able to make that config file run an external program that will run in the context as the program executing the configuration file so we will be running a system as well most likely oh whoops skipped one there hold up alright here we go so this is there's also a vulnerability in crash plan from 2018 where they tried to load Java class files from from program data and it turned out if you if you you can create that path there because program data users can create their own folders and files by default so if the program doesn't change that then any user can create the create files in that folder

and so a user could create these this path the Lang org so 4jx the penn state of the class and you can actually execute java code as the as the system process system user alright this is an interesting one this set security file this can lead to a permission overwrite where we can override permissions on any file on the system in many cases I don't know if you're familiar with the trusted installer in Windows but it's got some different permissions than the system and sometimes only trusted installer will have the permissions to do something with a file and maybe you can't change that file even if you have system user but in the most cases you'll

find a way to use permission overwrite to get a privileged escalation anyway you can write to any other file and if a if a system doesn't have any other software installed than just windows then maybe you shouldn't compromise that system I mean what's the deal there so I'm gonna show her so this is a case of checkpoints the endpoint VPN where it had a permission overwrite the vulnerability so you got this this folder called Internet logs in the windows folder where the permissions for authenticated users are - you could create files and you could write to files and rename files it doesn't say explicitly in in Windows it says on in the special permissions but I assure you you could write files

there see a curated file called you user-created file and checkpoint did set security file on that file it just did it on every file in that folder for some reason and it gave these permissions full control over the whole file now it's not that interesting to just get full control over a file that you created I mean you could do that anyway right but as it turns out you can create hard links on windows to different files on the system now for those not familiar with hard links they're basically additional names for a file but in in simpler terms did you think of it as a link to a file or anything you do to that link will

propagate to the to the original files if you change permissions on the link it changes the permissions on the file as well would you change the content of the link you change the content of the file windows is default tool the command-line tool for for making a hard link m'kay link does not give you access to make a hard link to a file you don't have right access to but as it turns out if you go deep into the windows API is you can still do this and you still create a hard link to a file you don't have right access to as long as you're not sandboxed James Forshaw from oh man I forgot the next slide there we go

James Porsche from Google's project zero he figured out that the cw's set information file API in Windows that create hard link W uses it doesn't enforce the the the right access check so if you implement your own create hard link API using C W set information file then then you don't have to enforce that check so you can create a hard link to any file on the system and so in the case of checkpoints doing set security file and giving full control of that file you can create you can make yourself get full control over any file on the system that is not owned by trusted installer did you get it great oh yeah okay so a hard link is no so

these unquoted service pads I'm gonna go into this in case some of you haven't heard of it or not really familiar with what it does but the unquoted service pass is basically it's a vulnerability that arises when you have a space in the path to a to a service executable and you haven't quoted the the executable path so I've got two different two different services here one we quote someone without and it looks like this it's the same kind of staircase staircase results you saw on the and the slides passed and Windows is trying to to open all the it's trying to open exe s for all the paths that ends in spaces in a way you I mean you see it here and

what it is is that it's ambiguous two windows if you really want what you wanted to have us the executable path and what you wanted to have as the argument to that executable so if we if we create this see customer services permission dot exe and we look at the process creates event for that you'll see that Windows is trying to to open the custom services permission it even puts the quotes around it and then it passes checkers backslash per checked out exe as an argument and there's where the Const quoted service Pathak's vulnerability comes from and if that process will be running a system you get system as well there's useful to know just how it looks

there in in process monitor it's it's fixed I mean it's it's not a you have to fix it yourself right it's what I'm showing here is an example so the vendors have to fix it it's not a it's not a thing we knows can fix because of backwards compatibility and we know how Windows likes backwards compatibility right so this is a case of the allow search order hijacking that we have folder called some documents I couldn't in a document called important that RTF it's very important I assure you and when you open it in word pad WordPad for some reason it looks like it looks for ma P 32 DLL it says name it found

because it wasn't there so if you put in your own DLL there maybe it was a some kind of malicious payload then you would execute your own code in the context of the user who open WordPad now to be honest this isn't actually a a vulnerability this is the case of where WordPad is looking for that file in the DLL search order to enable the send email function so it enables the send email function if it finds this DLL and when you click it it loads DLL but it actually loads it from system 32 but this is how we look if if it were where nobody would look exactly the same alright so some come configuration for

for process monitor you need to have a local admin account to to run process monitor and see all these kinds of things this is not something you would would run on they come from our system to find a privilege escalation it's something you would do beforehand or for bug hunting when when trying to find vulnerabilities there's not much more configuration need to do there's no installation it's it's pretty simple it uses some kind of file system mini filter that it just runs their first boot of the program so some some of the useful filters that I found are are these the the top left one for path not found a nameless farm and the user a

system I normally do user contain system because otherwise you have to do user is anti-authority backslash system and for localized systems you might not know the exact wording of anti-authority because anti-authority gets localized and then you want to filter out those paths that are are not user writable like Windows normally you don't have write access to Program Files you normally don't have write access to and you want to exclude any path that does not contain C colon backslash because otherwise you'll see these physical backs likes by a backslash backslash dot backslash paths that I don't really want to go into and then I would also just exclude any path beginning we programmed at at backslash

Microsoft because you normally don't have radix is there either if you don't find anything with a filter you'll take away some of them and you look at the accesses it's kind of a you have to explore it a bit then there's the I the name and valid filter on the top right is pretty useful because it means that somehow the programmer got the path wrong when they did create file and they they put in a colon or they they did something that Windows didn't like for the path and that probably means that you have some kind of way to influence what kind of path Windows is trying there or the program so they're useful not for for exploiting that in

particular but for seeing that there's a bug and maybe there's something around that that you can exploit or or have a look at that's interesting and then there's a set security filter which is pretty useful just do set security file and and user contains system it doesn't there's not a lot of there's not a lot of these operations going so you won't get bombarded with results there but you'll find some in between here and there so what's what you notice here is that I'm doing result is Padma found and result is named not found when you put in two of these result is or it's the same column and same relation then that means an or so this is result is Padma

found or result is named not found but if it's an exclusive it's just just user contains then it's exclusive so it's yourself this pad not found result this name not found or result is name of phone and user contain system so it's nice as just notice you can't really customize the Andrew or filtering in in in these filters so it's just nice to to remember how that works you can't export this to other tools can export to CSV and XML so importing it into into Excel works pretty well I would recommend if you export for for XML that don't include the stack traces and unless you really really need them a 300 Meg proc monologue file will turn

into an 11 gig Pro XML if you export it with stack traces so consider if you really really need that alright let's go over to some some exploration that I did the other day in process monitor I haven't gone too much into how this works some censoring the the name of the program because I don't know if this is vulnerability or if it's just just something but we'll have a look here so we see this I I filtered for name not found I filtered for path not found and the user is system and I found these so the first three are fine their program data and whatever but these on the bottom they say program percent 20 files

what is it doing why is it trying to URL encode a path before it passes it to create file well I don't know exactly why it does that but it's fine for me because I can create this folder I can create program % 20 files because Windows doesn't care about your own URL encoding so we do that and I assume that the the last part catalog is a folder because you can do create file handle on a folder that's that's totally reasonable so I create this as a folder I have this this whole path there and then we we apparently don't alright my my boxes have moved so the sensoring doesn't work properly alright we put a

filter on the under program files and and so we look only for the for operations going on in the path program percent 20 files and we see this so we got the see yeah right we we got percent when files etc catalog and success at the top but in the highlighted one here we see result is directory so this means that the program expected the the result to be a file not a directory now we have a problem because this this file here it doesn't have a file ending so how do I know what kind of file this is how do I know how to exploit this if there's a vulnerability how do we even find a

vulnerability right now what's nice about process monitor is that I've got this it's got this stack trace so we look at the at the stack trace here and we we see that it does some Lib XML and XML file open so obviously this is some kind of XML file right now you have to find out what kind of XML file you need to create and how you would do that but it's most likely some kind of configuration file for this program and you'll just have to figure out what kind of XML file it expects you either go into reverse engineering that's executable or you're finding now you can find XML template files in the program

fold up Program Files folder for that program so there's different ways of finding this but you find your entry points and obviously this file isn't meant to be editable because a they expected it to be in Program Files so you shouldn't be able to write that file in the beginning so most likely this configuration file is somewhere that you can can create your exploit or or or abuse it somehow alright I want to actually look at this is an actual zero day it's still a zero day because it was it was released haphazardly by some researcher on Tuesday I think so it's publicly available zero day I'm gonna show you how I would find this like if

you were exploring task scheduler how would you find this yourself so first of all you just you put in the filters like like so you let's say we wanted to do a set security we want to find a permission overwrite hair so we put in the filter for operation is set security file and user contain system alright let's go ahead and we'll well just create a new task will explore task scheduler like you would in normal conditions let's create a create an action to see India I know that I could have just written see indeed Alexi I didn't think of that when I made the demo all right so we see it does set security file on system 32

tasks testing testing is the name that we had for our task so your something going on here that's interesting so what happens if we create this file first if we create the file a file in tasks before we create the task in task scheduler so I'll create a create a file in my home folder just called hard link test up txt and I'll actually make a hard link to from tasks to to the file in my home folder do you I'll just do that you see m'kay link because I just want the proof of concept in the beginning I don't need to know if I can write to any other files in the system if I can just get

some kind of write access to that file in my home directory that's enough for me to know that there's a vulnerability here so all right we created the file let's just look at the file that we created to see that it's it's what we expect well not that there we go all right it's got like it's got the full permissions well we would expect from from a file that we created it's our file so that's fine let's look at the content of the file it's it's the Compton that we echoed right the test yeah that's fine all right let's create a task called heart link test and see what happens now look at me write out the full path to see him do

that XE XE again oh that's great all right there we go it did set security file on the under hard link test that looks let's look at the security permissions all right something happens suddenly user has access to to this file it didn't before and the system has special permissions didn't have that before let's look at the content of the file alright that's a task that's next model for a task so that's kind of weird so apparently Windows decided that instead of instead of if the file exists already it didn't delete the file it just over overrode it and set the security permissions on it so so here we got a vulnerability where we can do

permissions overwrite and we can change the contents of any file on the system this is a publicly disclose the vulnerability already I'm not showing you anything new hair just two by the way alright and that's kind of it for process monitor but I have some oh yeah I'm just moving away the cursor that's nice alright I have some words about hunting in the registry if you want to do that you can I haven't seen any potential for abuse in the registry so but if you wanted to check this I would include system users of user contain system and event classes registry for just a registry and exclude paths beginning with hklm and HKC you you

normally don't have write access there in hklm at least so it's not worth really looking for that in the most cases it's it's too much of a hassle to look at all of the hklm accesses because there's a lot HKC you for system would be system so you shouldn't have write access there Heider so isn't there's no point having it there but actually what I would do I would use different program from from sysinternals to to check out the registry it's called access enum it can actually recursively check the accesses for a key in the system so you can go through H key local machine and check the accesses for every user on the system and you can

see if a user's or everyone has accessed there you can save this it's a tap separated a values CSV kind of thing and import it into Excel Excel on a Mac because max was superior apparently and filter hair filter hair by rights and do contains every one or contains users and you would you will find everything that you have write access to and that could be potentially interesting in in Microsoft cases I didn't have any software installed hair so in Microsoft cases this is most likely just normal things that you were to without right access to but if you see any other programs on your machine where you have write access that could be potentially something for abuse it's

nice to look in I haven't done much of this but it's it's an it's an area you can go into alright that's that's it for me thank you any questions for metal about finding local privilege escalation with pokémon or anything about any of these vulnerabilities we saw just now so I have a question okay so you know you do a lot of research on privilege escalation from windows but these windows getting any better from version to version like if comparing XP versus windows 10 for example oh yeah definitely I mean there's things like the DLL search or hijacking I think by default in Windows 10 it now defaults the different kinds of permissions or different kinds of

search paths it's a hardened deal search order in a way I think that's by default it was in my testing but yeah there are these kinds of things that windows are doing we can revert them in registry if it up with the compatibility but mostly I would say yeah it's it's getting a lot better I mean yeah I didn't catch the the software of the currently exploitable zero-day that you are not irresponsibly disclosing but someone else has already done what do you care - oh yeah yeah it's task scheduler in Windows so it's a it's it's yeah okay it's called Windows got it it's called yeah thanks for clearing that up does anybody else have any questions about

research proc mom registry UAC isn't a security boundary so no all right no more questions then we have a bit of a longer break