Microsoft has released a security advisory to correct a flaw in the Group Policy. This could allow compromised user accounts without privileges to introduce malicious DLLs into a Windows system.
Microsoft released 129 fixes yesterday to fix flaws in several of its software, from Windows and Office to Visual Studio, Azure DevOps and Microsoft Apps for Android. Eleven of these flaws are described as “critical” and must be corrected immediately. But a particular vulnerability could be easily overlooked and allow hackers with local access to take full control of corporate Windows systems. The flaw, referenced CVE-2020-1317, affects one of the most fundamental mechanisms for centralized management of parameters of Windows machines and users in Active Directory environments: Group Policy or Group Policy. More importantly, the flaw is old and exists in all desktop versions of Windows and in all server versions from Windows Server 2008.
Microsoft believes that the flaw is serious. “The privilege escalation flaw can be exploited when Group Policy access verification is incorrect. If an attacker successfully exploits this vulnerability, he can execute processes in a high context. To exploit the vulnerability, the attacker must first log on to the system, and then run an application specially designed to take control of the affected system. ” Microsoft’s security advisory does not contain any other information, but, according to CyberArk researchers who discovered the vulnerability, the vulnerability is quite serious.
Exploitation of the Group Policy vulnerability
In Windows systems, Group Policy or Group Policy settings are stored as Group Policy Objects (GPO). These GPOs can be distributed by the domain administrator over the network from the domain controller. However, Group Policy updates are not instant by default and generally take a long time to spread over a network. It’s for this reason that Windows includes a tool called GPUpdate.exe that users can run to request GPO updates from the domain controller instead of waiting. “It’s worth noting that an unprivileged local user can manually request a Group Policy update,” CyberArk security researchers said in a blog post. “So if you can find a bug in the Group Policy update process, you can trigger it yourself as you please, which facilitates a potential attack.”
Group Policy updates are managed by a service called GPSVC which runs under the process svchost.exe, which manages many services in Windows. As expected, this service works with the highest possible privileges, in the context of NT AUTHORITY SYSTEM. Group Policy updates can be linked to a machine, site, domain, or organizational unit and the department saves them to a file called Applied-Object.xml, which is then renamed based on the type of object to which the policy applies. For example, a printer policy will be translated to Printers Printers.xml. Researchers have discovered that updates to Group Policy Objects (GPOs) linked to an organizational unit – these updates target all users and computers in the domain – are saved to a location on the computer under the directory % localappdata%, accessible to any local user.
In addition, by performing this operation, the service does not transfer its context and privileges to the local user who requested the update – transfer known as identity theft in Windows API language – but it performs file write operation with privileges of the local system. Therefore, this mechanism provides for a situation in which an unprivileged user can use GPUpdate.exe to trigger write operations for files with LocalSystem privileges in a directory to which it has access.
The last step in this chain of operations is for the user to create a symbolic link that links the location of the target file that will be written – for example, Printers.xml – to a system file located in a protected Windows directory like C: Windows System32 where there are many files executed by the operating system kernel. This means that when the GPSVC tries to write the file Printers.xml where accessible to the user, it will actually be directed to a file in the directory C: Windows System32 , which it can do because it works with system privileges.
This is how CyberArk researchers describe the different steps:
– List the unique global identifiers (GUID) of the Group Policy present in C: Users user AppData Local Microsoft Group Policy History .
– If you have multiple GUIDs, check which directory has been updated recently.
– Go to this directory and to the sub-directory, which is the user’s SID security identifier.
– Look at the last modified directory. This varies depending on the environment. In the example chosen here, it was the directory Printers.
– Delete the file Printers.xml in the directory Printers.
– Create an NTFS mount point to RPC Control + an Object Manager symbolic link with Printers.xml pointing on C: Windows System32 whatever.dll.
– Open your preferred terminal and launch gpupdate.
The reason why the possibility for unprivileged users to write files to protected directories of the operating system is dangerous is that it can be used for a so-called DLL hijacking attack. The directory C: Windows System32 is one of the first places in which many applications, or the operating system, search when they want to load a particular DLL. If a malicious user can place a DLL with a specific name and malicious code in this directory, it will be executed by a service or an application with privileges LocalSystem, giving this code full control over the computer.
The value of faults by privilege escalation
In general, vulnerabilities that facilitate privilege escalation are not considered “critical” because, in order to exploit them, attackers must already have access, even limited, to the local computer. However, attackers have several solutions for accessing a system: using phishing emails containing malicious attachments, triggering drive-by downloads, exploiting vulnerabilities in any application. This is why, in terms of security, the basic practice is that users of a Windows system have limited privileges and that the applications they run have limited privileges, that is to say the least possible privileges to be able to function.
Due to improvements in the security architecture of modern operating systems and developers’ efforts to reduce their attack surface, it is quite rare to find a remotely exploitable vulnerability without authentication on a network or on the Internet, which gives direct and full access to the system. Most attacks today use exploit chains that combine multiple vulnerabilities, and privilege escalation breaches are an important part of those chains, and often the last step before the attacker takes control of the attack. whole system.
Unfortunately, privilege escalation vulnerabilities are still common. As proof, within the framework of a research project carried out over one year by the researchers of CyberArk, the latter found 60 faults of this type in the products of the main software suppliers. On Windows, privilege escalation vulnerabilities are commonly discovered in the kernel and third-party drivers, but also in various system services, as is the case here. “These types of bugs are very common,” said Eran Shimony, a researcher at CyberArk Labs. “During our research project, we found a lot of vulnerabilities of a similar nature, which means that developers are not fully aware of these vulnerabilities, but they are easy to avoid, so it would be great if they paid attention to them” .
To fix the Group Policy Objects (GPO) vulnerability, Microsoft had to fix the way Group Policy controls access, which was probably not very simple, since it is a fundamental mechanism for Windows management. CyberArk first reported the problem to Microsoft in June of last year. It therefore took the publisher a year to finalize the update released yesterday. Microsoft also had to develop fixes for all affected operating systems that are now out of support, but for which customers may still have extended subscription contracts for certain products that entitle them to security updates. This is particularly the case for Windows Server 2008, Windows Server 2012 and Windows 7.