The tool used is create the folder junction is CreateMountPoint by James Forshaw of Google Project Zero.
In this case, a folder junction mount point is set on the previous DSA Folder Location directory structure ( c:\test\downloads ) and targeted for the protected c:\windows\system32 directory. This includes the text.txt file to c:\temp\Downloads\test.txt:Ĩ – Of course, this sets up an interesting test case for identifying a potential reparse point logic bug. In the following screenshot, ProcMon shows the ‘move’ activity from the previous directory structure ( c:\test) to the new directory structure ( c:\temp) when the Folder Location is changed.
This browsing dialogue box is prompted:ħ – After changing the folder directory, the folder structure and contents under the previous Folder Location are moved to the new folder by the DSA service ( DSAService.exe). For demonstration, a test file (test.txt) is created within the folder directory structure at c:\test\Downloads\test.txt.
The structure appears as follows:Ħ – In the DSA Settings page, the unprivileged user can change the directory by selecting the Change Location button under Folder Location. The unprivileged user has the ability to change the Folder Location (Default in this case is C:\ProgramData\Intel\DSA):Ĥ – Taking note of the default folder path, the DACL entries of that path reveal that the Authenticated Users group has Full Control permissions over the directory:ĥ – In the DSA directory, the folder structure contains the data, downloads, and logs. The following walkthrough represents a simple methodology for discovering and exploiting the EoP bug in an unprivileged user context:ġ – The user selects the DSA tray icon on the Windows Task Bar:Ģ – The DSA interface opens in the default web browser:ģ – Selecting the Settings link (on the left) opens up the DSA Settings page. This technical advisory provides an excellent overview of that bug as well as operational details of DSA. Of note, a similar bug in DSA (CVE-2019-11114) was previously discovered by Rich Warren of the NCC Group. An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code. This includes the ability to configure the folder location for downloads and data (e.g. An unprivileged user has nominal control over configuration settings within the web-based interface. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. Intel Driver & Support Assistant (DSA) is a driver and software update utility for Intel components.
0 kommentar(er)
