0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Windows: DSSVC CanonicalAndValidateFilePath Security Feature Bypass Platform: Windows 10 1803 and 1809. Class: Security Feature Bypass/Elevation of Privilege Security Boundary (per Windows Security Service Criteria): User boundary NOTE: This is one of multiple issues I’m reporting in the same service. While I’ve tried to ensure all the bugs are effectively orthogonal from each other it’s possible that fixes for one thing might affect others. I’ve also not reported every possible problem with the service as at some point I had to stop. I’ve not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly can’t be due to the requirements for arbitrary file symlinks but it’s not impossible. Summary: The Data Sharing Service’s check for the user passing UNC paths can be circumvented leading to a security feature bypass which can facilitate easier exploitation for privilege elevation. Description: During DSSCreateSharedFileTokenEx the path is passed to DSUtils::CanonicalAndValidateFilePath to canonicalize the path. This method also verifies that the passed path isn’t a UNC path (for reasons unknown). The UNC path check can be bypassed by using the \??\UNC\ form. When this is passed to PathAllocCanonicalize it returns it verbatim, however this path format isn’t considered a UNC path by PathIsUNCEx. However when passed to CreateFile etc it will be considered as if it was an \\?\UNC\ path format. This could be useful for a few different attacks. For a start you could redirect the call to \\localhost\pipe\somepipe and get a named pipe handle bound to the SYSTEM user. Although I’ve not worked out a way of getting the handle back (as GetFinalPathFromHandle fails). Another attack vector is when going to an SMB share any directory junctions are resolved on the server, this would allow you to bypass any checks such as DSUtils::VerifyPathFromHandle as the returned path would be \\?\UNC\localhost\c$\blah.. Regardless of the final destination path opened. Proof of Concept: I’ve provided a PoC as a C# project. 1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build. 2) Execute the poc, it will try and open c:\windows\notepad.exe via the C$ admin share. Expected Result: The path is considered invalid and DSSCreateSharedFileTokenEx fails. Observed Result: The UNC path is opened. Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46159.zip # 0day.today [2024-11-16] #