WalletService
has fixed Elevation of Privilege bugs in last Patch Tuesday, one of bugs are assigned with CVE-2020-1362. The bug leverage a out-of-bound bug in the service. Here we share our techniques to exploit it.
We conducted binary analysis of the following functions in walletservice.dll
:
- Wallet::WalletCustomProperty::SetGroup
The SetGroup function wrote a user-controlled data in the memory of user-controlled offset.
signed __int64 __fastcall Wallet::WalletCustomProperty::SetGroup(__int64 this, int a2, int a3, int a4)
{
signed __int64 result; // rax
result = 0i64;
if ( a2 == 1 )
{
if ( a3 & 0xFFFFFFDF )
return 0x80070057i64;
}
else if ( a3 == 0x20 )
{
return 0x80070057i64;
}
if ( a4 == -1 )
{
*(_DWORD *)(this + 8i64 * a2 + 0x74) = 0;
*(_DWORD *)(this + 8i64 * a2 + 0x78) = 0x7FFFFFFF;
}
else
{
*(_DWORD *)(this + 8i64 * a2 + 0x74) = a3;
*(_DWORD *)(this + 8i64 * a2 + 0x78) = a4;
}
return result;
}
We can notice that the function do not check the range of the offset that the user can control. So this is where the vulnerability occurs.
We can now write memory out of bounds. By observing we can find that there is a function to set and get BSTR in the same class:
- Wallet::WalletCustomProperty::SetLabel
- Wallet::WalletCustomProperty::GetLabel
So we can easily modify the pointer to BSTR through oobw to obtain the ability to read and write any address.
Once we have WWW (write-what-where), we can write vtable of Wallet::WalletCustomProperty objects on the heap to control RIP. At the beginning, we tried to modify it directly with oobw, but we found that oobw was not aligned with 8 bytes. So we have to write twice to achive vtable hijack using race condition. But this may make the exploit unstable. There are some other method to get around this. But in our POC we just use another info leak vulnerability (CVE-2020-1361) to leak the heap address and used www to write the vtable directly. BTW, although CVE-2020-1361 is marked as an info leak vulnerability, it actually can be used to achieve EOP. We will make a writeup for it in future.
We found the ATL::CComObject<CDXGIAdapter>::`vector deleting destructor
function in dxgi.dll
to help us from executing arbitrary functions to arbitrary code execution. This function calls the loadlibraryEx
function and takes a global pointer as the first parameter of loadlibraryEx
. Then we can achieve arbitrary code execution by loading a custom dll.
An example POC is provided in POC
directory.
Through the vulnerability, we can achieve privilege elevation from medium to NT AUTHORITY\system
.
Test in Windows 10.0.18363.815, x64
Haoran Qin
Zhiniang Peng (@edwardzpeng) of Qihoo 360
Apr 10 2020: Vulnerabilities reported
Apr 21 2020: MSRC investigated and confirm the bug
Jul 14 2020: Patch released
Jul 17 2020: Writeup published