stihl не предоставил(а) никакой дополнительной информации.
Symbolic links have been present in Windows systems almost since birth. However, few offensive security courses will teach you about them, although symbolic links have great potential, because with luck you can get LPE! My article will tell you in detail about symbolic links, the specifics of working with them, and will also clearly show you the logic of abuse to obtain LPE.
Soft Link Example
Hard link example
Registry Symlink example
As you can see, almost all symbolic links require a fairly privileged account. How can you elevate your privileges then?
And here we come to two other less popular types of symlinks.
NTFS Mount Point Example
Object manager symlink example
U can read more about Object Manager Для просмотра ссылки Войдиили Зарегистрируйся. To achieve LPE we will use these two types of symbolic links.
Using NTFS Mount Point + Object Manager symlink example
So, let’s say there is some Windows service that performs the operation of deleting the file C:\Temp\abc\file.txt. And we want to replace this file with C:\Windows\controlled.txt, while working on behalf of a low-privileged account. In addition, we have full rights to the directory C:\Temp\abc and to the file.txt file itself. We have no rights to the file controlled.txt.
In this case, we proceed as follows:
3. We see successful deletion of C:\Windows\controlled.txt!
How does it work? So, first, the high-privileged service that performs the delete operation calls a method like DeleteFile() on the file C:\Temp\abc\file.txt. However, this file does not exist. And C:\Temp\abc points to \RPC Control. So, \RPC Control\file.txt is accessed. This is also a symbolic link. Only it points to C:\Windows\controlled.txt. This causes the service to follow two symbolic links and instead of the desired C:\Temp\abc\file.txt, it deletes C:\Windows\controlled.txt. This is what the vulnerability looks like
It’s called Arbitrary File Deletion.
Abuse logic
You can see examples of Arbitrary File Delete on these CVEs:
Process Monitor Settings (Options -> Select Columns)
For example, when we investigated LPE in Anydesk, we determined that the operation was being used on the file C:\users\<username>\AppData\Roaming\Microsoft\Windows\Themes\<wallpaper>.png, over which we have full control. After which the file was copied to C:\Windows\Temp\<wallpaper>.png.
File operation example
Then you need to determine the context, that is, on whose behalf the privileged operation is being performed. In our case, it was NT AUTHORITY\SYSTEM, which led to the LPE.
Privileged File Operation
So, we just need to file a privileged file operation on a file we control, and then replace that file with a symbolic link. But how to trigger this privileged file operation? Here I offer several options.
AV Abuse Example
So, we have an antivirus service that operates on behalf of NT AUTHORITY\SYSTEM. The hacker places a malicious EICAR file on the device disk. Then it starts checking the Для просмотра ссылки Войдиили Зарегистрируйся in a loop in an attempt to detect access to its file. The antivirus accesses the file, identifies malicious file, and then tries to delete it from the disk. However, at this point the hacker replaces his file with a symbolic link, which, by connecting NTFS Mount Point and Object Manager Symlink, leads to a critical file for the antivirus itself. This is how the antivirus deletes itself
So what can we do once we have achieved arbitrary file deletion?
Here is a more general option — try to delete some DLL library. Then write your own load in its place. Focus on the Search Order Hijacking and DLL Redirection mechanisms. However, this is a slightly more complex case. Consider a simpler method — abuse of Для просмотра ссылки Войдиили Зарегистрируйся. This method allows you to get the system shell from arbitrary file deletion primitive.
Windows Installer Rollback abuse
The mechanism is based on the fact that we delete the C:\Config.msi folder, write our own malicious MSI files and call the Rollback mechanism, which leads to the execution of these files. You can explore this mechanism in more detail in these CVEs:
или Зарегистрируйся.
DiagHub vulnerable interface definition
DiagHub initialization and abuse
However, during exploitation you may encounter a problem — the target application checks the file before copying or creating. In this case, look towards the Для просмотра ссылки Войдиили Зарегистрируйсяrepository. This repository will allow you to perform a Time of check — time of use (TOCTOU) attack.
What does it consist of? First, we also create a symbolic link, but it points to a legitimate file that is being checked. In turn, Для просмотра ссылки Войдиили Зарегистрируйсяis installed on this legitimate file. OpLock allows you to track requests to a legitimate file. As soon as the target service requests a legitimate file, OpLock is triggered and our symbolic link changes from a legitimate file to a malicious one.
TOCTOU Abuse Example
This is the first trick you can use when abusing arbitrary copying or arbitrary file creation.
The second trick is to override DACL. It was used when writing POC on LPE in AnyDesk. We had the following case: we could perform arbitrary copying of any system files to the C:\Windows\Temp folder, but the files were copied together with their original DACL. Thus, we could not read the files. However, we simply recreated the target files in the C:\Windows\Temp folder and the vulnerable service involuntarily performed an arbitrary overwrite operation instead of arbitrary copying. And in this case, the original DACL is used. That is, the file that we created ourselves. And we can read our own files without problems.
Overriding DACL Example
U can read more about it Для просмотра ссылки Войдиили Зарегистрируйся.
Did you know that renaming can move a file? Let’s take a closer look. Let’s say we have some privileged service that performs the rename operation from C:\abc\private.txt to C:\xyz\public.txt. In this case, we control both files: private.txt and public.txt.
Renaming to moving…
In this case, we can make two symbolic links: one will be called private.txt, and the second public.txt. And they will point to the files we need to move. For example, private.txt will point to the malicious DLL library C:\hack\pwn.dll, which we want to write to the path C:\LegitService\Legit.Dll. Accordingly, public.txt should point to C:\LegitService\Legit.dll. Thus, when the service wants to rename C:\abc\private.txt to C:\xyz\public.txt, it will rename C:\hack\pwn.dll to C:\LegitService\Legit.dll. You can read more about this wonderful technique Для просмотра ссылки Войдиили Зарегистрируйся.
From Arbitrary Directory Creation to Arbitrary File Read
In this case, you should create a folder with a special name, for example, c_1337.nls, convert it to NTFS Mount Point to the desired file. Yes, to the file, not to the folder, we will work with the National Language Support service, which uses a special system call that allows you to convert a symbolic link NTFS Mount Point to a file. After that, we trigger the National Language Support service, the target file is mapped to shared memory. All we have to do is find the desired file in memory by its characteristic name. You can find the POC Для просмотра ссылки Войдиили Зарегистрируйся, and the original research Для просмотра ссылки Войди или Зарегистрируйся.
UAC Bypass using symlinks
You can find the original research Для просмотра ссылки Войдиили Зарегистрируйся.
Enabling RedirectionTrust example
Для просмотра ссылки Войдиили Зарегистрируйся to find the RedirectionTrust mechanism in running processes.
или Зарегистрируйся.
Для просмотра ссылки Войдиили Зарегистрируйся
What is a symbolic link?
So, a symbolic link allows you to point from one object to another. Literally: a symbolic link example could point to file 1.txt. There are different types of symbolic links in Windows. Let’s take a closer look at them.- NTFS (Soft Link) — Allows you to link from one file to another. To create, you need administrator rights or the SeCreateSymbolicLinkPrivilege privilege or Windows Developer Mode enabled. U can create such link using:
Код:
#cmd.exe
mklink link.txt orig.txt
#winapi
BOOLEAN CreateSymbolicLinkA(
[in] LPCSTR lpSymlinkFileName,
[in] LPCSTR lpTargetFileName,
[in] DWORD dwFlags
);Soft Link Example
- Hard Link — also allows you to link from one file to another, but only within the same drive. Requires FILE_WRITE_ATTRIBUTES rights to create. You cannot link to directories. U can read more about soft and hard links Для просмотра ссылки Войди
или Зарегистрируйся. U can create hard link with:
Код:
# cmd.exe
mklink /H link.txt orig.txt
# ZwSetInformationFile
https://github.com/googleprojectzero/symboliclink-testing-tools/blob/00c0fe4cefcd2a62c887fe6117abc02bc98bb9fb/CommonUtils/Hardlink.cpp#L20Hard link example
- Registry Link — allows you to link from one registry key to another, requires KEY_CREATE_LINK+KEY_CREATE_SUB_KEY rights to create, also you cannot create a symlink between certain hives. For example, you cannot create a symlink from HKCU\XXXX to HKLM\XXXX.
Код:
# Creation using NtCreateKey()
https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CommonUtils/RegistrySymlink.cpp#L121Registry Symlink example
As you can see, almost all symbolic links require a fairly privileged account. How can you elevate your privileges then?
And here we come to two other less popular types of symlinks.
- NTFS Mount Point — This is a symbolic link from one folder to another. Can be created on behalf of a low-privileged account. The directory that becomes a symbolic link (Dir-link in the examples) must be empty, and we must have write access to it. U can create such link using:
Код:
# cmd.exe
mklink /J Dir-link Directory
# DeviceIoControl()
https://github.com/googleprojectzero/symboliclink-testing-tools/tree/main/CreateMountPointNTFS Mount Point Example
- Object Manager Symlink — allows you to create symbolic links within the Object Manager namespace. As a low-privileged user, you can create symbolic links in the \RPC Control and \BaseNamedObjects\Restricted namespaces. You can also try creating a symbolic link inside \BaseNamedObjects if you meet some conditions described Для просмотра ссылки Войди
или Зарегистрируйся.
Код:
# NtCreateSymbolicLinkObject()
https://github.com/googleprojectzero/symboliclink-testing-tools/tree/main/NativeSymlink
# DefineDosDevice()
https://github.com/googleprojectzero/symboliclink-testing-tools/tree/main/CreateDosDeviceSymlinkObject manager symlink example
U can read more about Object Manager Для просмотра ссылки Войди
Arbitrary File Deletion Example
So, let’s look at an example. Let’s say we know that some operation which can lead to LPE is being performed on a file, and we want to replace it with a symbolic link.
Using NTFS Mount Point + Object Manager symlink example
So, let’s say there is some Windows service that performs the operation of deleting the file C:\Temp\abc\file.txt. And we want to replace this file with C:\Windows\controlled.txt, while working on behalf of a low-privileged account. In addition, we have full rights to the directory C:\Temp\abc and to the file.txt file itself. We have no rights to the file controlled.txt.
In this case, we proceed as follows:
- Create a Object Manager symbolic link from \RPC Control\file.txt to C:\Windows\Controlled.txt.
3. We see successful deletion of C:\Windows\controlled.txt!
How does it work? So, first, the high-privileged service that performs the delete operation calls a method like DeleteFile() on the file C:\Temp\abc\file.txt. However, this file does not exist. And C:\Temp\abc points to \RPC Control. So, \RPC Control\file.txt is accessed. This is also a symbolic link. Only it points to C:\Windows\controlled.txt. This causes the service to follow two symbolic links and instead of the desired C:\Temp\abc\file.txt, it deletes C:\Windows\controlled.txt. This is what the vulnerability looks like
It’s called Arbitrary File Deletion.More arbitrary file operations
So, the general logic of exploitation is as follows. We create two symbolic links, after which we redirect the execution flow of the privileged service, forcing it to perform some operations against the file we need.
Abuse logic
You can see examples of Arbitrary File Delete on these CVEs:
- Для просмотра ссылки Войди
или Зарегистрируйся — Windows MSI “Installer service” Elevation of Privilege; - Для просмотра ссылки Войди
или Зарегистрируйся — Windows Installer EOP; - Для просмотра ссылки Войди
или Зарегистрируйся — Razer EOP.
- Для просмотра ссылки Войди
или Зарегистрируйся — Windows 10 PlugScheduler EOP. Arbitrary Create; - Для просмотра ссылки Войди
или Зарегистрируйся — AnyDesk LPE. Arbitrary Copy; - Для просмотра ссылки Войди
или Зарегистрируйся — MSI Center Arbitrary File Overwrite Vulnerability; - Для просмотра ссылки Войди
или Зарегистрируйся — Oracle VirtualBox LPE; - Для просмотра ссылки Войди
или Зарегистрируйся — Arbitrary file write in VaultSvc.
How to find this vulnerability?
The easiest way to find such a vulnerability is to use Process Monitor. To do this, set up the settings as I have, then monitor file operations and check which files you can replace with a symbolic link.
Process Monitor Settings (Options -> Select Columns)
For example, when we investigated LPE in Anydesk, we determined that the operation was being used on the file C:\users\<username>\AppData\Roaming\Microsoft\Windows\Themes\<wallpaper>.png, over which we have full control. After which the file was copied to C:\Windows\Temp\<wallpaper>.png.
File operation example
Then you need to determine the context, that is, on whose behalf the privileged operation is being performed. In our case, it was NT AUTHORITY\SYSTEM, which led to the LPE.
Privileged File Operation
So, we just need to file a privileged file operation on a file we control, and then replace that file with a symbolic link. But how to trigger this privileged file operation? Here I offer several options.
- Для просмотра ссылки Войди
или Зарегистрируйся — you can try to trigger the driver to perform a file operation on a file under your control; - Для просмотра ссылки Войди
или Зарегистрируйся — When initializing, COM objects can use different files, while running on behalf of the NT AUTHORITY\SYSTEM; - Для просмотра ссылки Войди
или Зарегистрируйся — different files may be used during the installation of an MSI package; - GUI/RPC/ALPC — finally, you can try to interact with the target application via the IPC interfaces it provides.
Arbitrary File Delete
Let’s take a closer look at the vulnerability. For example, how Arbitrary File Delete was used in the past to abuse antiviruses.
AV Abuse Example
So, we have an antivirus service that operates on behalf of NT AUTHORITY\SYSTEM. The hacker places a malicious EICAR file on the device disk. Then it starts checking the Для просмотра ссылки Войди
So what can we do once we have achieved arbitrary file deletion?
Here is a more general option — try to delete some DLL library. Then write your own load in its place. Focus on the Search Order Hijacking and DLL Redirection mechanisms. However, this is a slightly more complex case. Consider a simpler method — abuse of Для просмотра ссылки Войди
Windows Installer Rollback abuse
The mechanism is based on the fact that we delete the C:\Config.msi folder, write our own malicious MSI files and call the Rollback mechanism, which leads to the execution of these files. You can explore this mechanism in more detail in these CVEs:
- Для просмотра ссылки Войди
или Зарегистрируйся — Take Control Agent 7.0.41.1141 LPE; - Для просмотра ссылки Войди
или Зарегистрируйся — Arbitrary File Delete vulnerability in Cisco Secure Client (tested on 5.0.01242) and Cisco AnyConnect (tested on 4.10.06079); - Для просмотра ссылки Войди
или Зарегистрируйся — Windows Print Spooler Elevation of Privilege Vulnerability.
Fun Fact
To be honest, I was quite surprised by the fact that the topic of symbolic link abuse is largely ignored in the leading and most popular offensive security courses. Moreover, this vulnerability is more than relevant. Just a couple of months ago, another CVE was registered, related to the abuse of symbolic links. Read the research Для просмотра ссылки ВойдиArbitrary File Create/Copy && Some Tricks
So, what if you can control whether a file is created or copied instead of deleting it? In this case, I suggest using two options for abuse:- More general option: Try writing a new configuration file to some service, writing scripts to the system-wide startup or using the DLL Redirection mechanism (create .local files);
- However, there is a potentially vulnerable DiagHub service that will allow us to load an arbitrary library from C:\Windows\System32. So, try to write your library to this path and trigger the service. You can read more Для просмотра ссылки Войди
или Зарегистрируйсяand Для просмотра ссылки Войдиили Зарегистрируйся.
DiagHub vulnerable interface definition
DiagHub initialization and abuse
However, during exploitation you may encounter a problem — the target application checks the file before copying or creating. In this case, look towards the Для просмотра ссылки Войди
What does it consist of? First, we also create a symbolic link, but it points to a legitimate file that is being checked. In turn, Для просмотра ссылки Войди
TOCTOU Abuse Example
This is the first trick you can use when abusing arbitrary copying or arbitrary file creation.
The second trick is to override DACL. It was used when writing POC on LPE in AnyDesk. We had the following case: we could perform arbitrary copying of any system files to the C:\Windows\Temp folder, but the files were copied together with their original DACL. Thus, we could not read the files. However, we simply recreated the target files in the C:\Windows\Temp folder and the vulnerable service involuntarily performed an arbitrary overwrite operation instead of arbitrary copying. And in this case, the original DACL is used. That is, the file that we created ourselves. And we can read our own files without problems.
Overriding DACL Example
U can read more about it Для просмотра ссылки Войди
Arbitrary File Overwrite/Move
It is worth noting that if you have achieved a move or overwrite primitive, the methods of abuse will not differ from the methods used for arbitrary copying or creation. Also look into writing DLL libraries or using DiagHub.Did you know that renaming can move a file? Let’s take a closer look. Let’s say we have some privileged service that performs the rename operation from C:\abc\private.txt to C:\xyz\public.txt. In this case, we control both files: private.txt and public.txt.
Renaming to moving…
In this case, we can make two symbolic links: one will be called private.txt, and the second public.txt. And they will point to the files we need to move. For example, private.txt will point to the malicious DLL library C:\hack\pwn.dll, which we want to write to the path C:\LegitService\Legit.Dll. Accordingly, public.txt should point to C:\LegitService\Legit.dll. Thus, when the service wants to rename C:\abc\private.txt to C:\xyz\public.txt, it will rename C:\hack\pwn.dll to C:\LegitService\Legit.dll. You can read more about this wonderful technique Для просмотра ссылки Войди
Arbitrary Directory Creation
There are more sophisticated methods. For example, when you can control the folder being created. In this case, you can try to untwist it to arbitrary reading of system files.
From Arbitrary Directory Creation to Arbitrary File Read
In this case, you should create a folder with a special name, for example, c_1337.nls, convert it to NTFS Mount Point to the desired file. Yes, to the file, not to the folder, we will work with the National Language Support service, which uses a special system call that allows you to convert a symbolic link NTFS Mount Point to a file. After that, we trigger the National Language Support service, the target file is mapped to shared memory. All we have to do is find the desired file in memory by its characteristic name. You can find the POC Для просмотра ссылки Войди
Symlinks to UAC Abuse
You can use symbolic links to bypass UAC! It is worth noting that this method only works on systems running Intel processors. To abuse it, you need to locate the ShaderCache folder, delete all files from there, create an NTFS Mount Point, achieve a random overwrite primitive, and write your own DLL.
UAC Bypass using symlinks
You can find the original research Для просмотра ссылки Войди
Defense notes
So how can you protect yourself from symbolic link abuse? I see two options:- RedirectionTrust — the system does not follow symbolic links that are created by a user with a lower IL;
Enabling RedirectionTrust example
Для просмотра ссылки Войди
- Impersonation — Your service must use a low-privilege user token for file operations. You can use someone else’s token using special functions, such as Для просмотра ссылки Войди
или Зарегистрируйся().
Для просмотра ссылки Войди