bitsinject
play

BITSInject Control your BITS, get SYSTEM Dor Azouri Security - PowerPoint PPT Presentation

BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach Background Intelligent Transfer Service 2 A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced


  1. BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach

  2. Background Intelligent Transfer Service 2

  3. A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced features 3

  4. A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced features 4

  5. DEMO Software updating itself using BITS 5

  6. TOOL DEMO #1 BITSInject to open an interactive shell as NT AUTHORITY\SYSTEM, in session 0 6

  7. 7

  8. BITS Background & Terms PowerShell bitsadmin 3rd-party 8

  9. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply 9

  10. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll 10

  11. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll 11

  12. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll State File 12

  13. Known Malicious Uses BITS as a malware downloader As a persistency mechanism (e.g. DNSChanger/Zlob.Q) As C&C communication 13

  14. The inspiration? the way WU downloads and installs updates The drive? Jealousy … of how WU adds SYSTEM jobs 14

  15. Some of LocalSystem Privileges ● Can open the registry key HKLM\SECURITY and SAM ● On a DC - has unrestricted access to AD Domain Service ● Has the network privileges of the machine ● Covert identity 15

  16. Some of LocalSystem Privileges [SYSTEM whoami] - [Administrator whoami] = SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeTcbPrivilege SeCreatePermanentPrivilege SeAuditPrivilege 16

  17. The Abuse 17

  18. The Enabling Feature SetNotifyCmdLine 18

  19. Naive Try - PSEXEC bitsadmin /CREATE I_WANT_YOUR_SYSTEM bitsadmin /ADDFILE I_WANT_YOUR_SYSTEM http://site.com/software.exe c:\temp\software.exe 19

  20. God Created a Rock He Can’t Pick Up Unable to add file to job - 0x800704dd The operation being requested was not performed because the user has not logged on to the network bitsadmin /CANCEL I_WANT_YOUR_SYSTEM 20

  21. How does wuaueng do the things it does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload 21

  22. How does wuaueng do the things it does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload 22

  23. Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) 23

  24. Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) Reason: bad pairing of {Client SID} and {Session ID} Solution: Fake {Session ID} 24

  25. Checkpoint #1 - AccessCheck One of the functions at the heart of the Windows security model It is boolean: GRANT or DENY IServerSecurity::CoImpersonateClient ➔ Impersonation token is checked against the job’s security descriptor ➔ IServerSecurity::CoRevertToself ➔

  26. Checkpoint #1 - AccessCheck

  27. Checkpoint #2 - Active Logon BITS requires the requesting user to be logged on for a job to continue operation C:\Windows\system32>qwinsta SESSIONNAME USERNAME ID STATE TYPE DEVICE 0 Disc >console 1 1 Active Rdp-tcp 65536 Listen

  28. Faking Session ID {Client SID} = {Session ID} = 1 (From Job object) GetTokenInformation(12) SwitchToLogonToken CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 28

  29. Faking Session ID {Client SID} = {Session ID} = 1 (From Job object) GetTokenInformation(12) SwitchToLogonToken {SYSTEM} is NOT logged on in session {1} CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 29

  30. Faking Session ID 1. Breakpoint is placed just before the call to CJobManager::CloneUserToken 2. Run CMD/PowerShell as SYSTEM using psexec: Bitsadmin /create I_WANT_YOUR_SYSTEM Bitsadmin /addfile I_WANT_YOUR_SYSTEM <URL> <DestinationFile> 3. Got to breakpoint. Change the return value of the GetTokenInformation call to 0, which is the SYSTEM session ID (WinDbg): Memory change: [rsp+20h]=0 30

  31. Faking Session ID {Client SID} = {Session ID} = {Session ID} = 0 (From Job object) GetTokenInformation(12) SwitchToLogonToken CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 31

  32. CNestedImpersonation::* Takes care of the token manipulations CNestedImpersonation::Impersonate(void) Uses ImpersonateLoggedOnUser(HANDLE hToken) ➔ The desired action is with impersonation, and then back to self 32

  33. public enum JOB_STATE { Queued, Connecting, Transferring, → Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown }; 33

  34. The State File is the Supervisor Represents the job queue C:\ProgramData\Microsoft\Network\Downloader\(qmgr0.dat|qmgr1.dat) Alternated update, current is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex 34

  35. The State File ● Straight-forward e.g. string representation: 07 00 00 00 ‘S’ 00 ‘Y’ 00 ‘S’ 00 ‘T’ 00 ‘E’ 00 ‘M’ 00 00 00 CJob::Serialize(class CQmgrWriteStateFile &) calls CQmgrStateFiles::Write(void const *,ulong) for each job property ● Unencrypted ● Partially protected 35

  36. public enum JOB_STATE { Queued, Connecting, Transferring, Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown }; 36

  37. sc stop bits timeout 5 del /Q /F C:\ProgramData\Microsoft\Network\Downloader\* >> Put modified state file sc start bits 37

  38. 38

  39. 39

  40. SID Name (Level) Use Untrusted (0) S-1-16-0x0 Used by processes started by the Anonymous group. It blocks most write access. Low (1) Used by Protected Mode Internet Explorer. S-1-16-0x1000 Medium (2) Used by normal applications being launched while UAC is enabled. S-1-16-0x2000 applications launched UAC elevation, or if UAC is disabled and the user is an High (3) S-1-16-0x3000 administrator. System (4) Used by services and other system-level applications (Wininit, Winlogon, Smss...). S-1-16-0x4000 40

  41. Migration of the Queue Just copy-paste the state files between machines Windows 7 Header: F5 6A 19 2B 7C 00 8F 43 8D 12 1C FC A4 CC 9B 76 Windows 10 Header: 28 32 ED 09 A6 C7 E9 45 8F 6D 36 D9 46 C2 7C 3E 00 00 00 00 00 00 00 00 41

  42. 42

  43. A Cleaner Method Version Dependent Header State File Header Queue Header n++ Jobs Counter = n Job Header Job #0 Job Footer Job Header Job #x ... Job Footer Job Header Job #n Job Footer Queue Footer 43

  44. BITSInject Injects a job with LocalSystem as owner Job is removed when finished Allows editing some of the job’s parameters, more in the future 44

  45. Interactive Services Detection - UI0Detect sc stop UI0Detect reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows /v NoInteractiveServices /t REG_DWORD /d 1 /f sc start UI0Detect OR Non-interactive exe

  46. TOOL DEMO #2 BITSInject non-interactive command 46

  47. SimpleBITSServer A simple python implementation of a BITS server Can respond without a Content-Length header Accelerating the method by pushing job into the ERROR state * On Windows 10: Fake VSN to avoid network traffic 47

  48. The Enabling Conditions ● Relying on state file data without verification ● Lack of unique machine identification ● File permissions integrity ● Clear, straight-forward object serialization to disk 48

  49. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp 49

  50. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp 69,904 50

  51. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: 51

  52. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: BIT[0-9A-F]{1,4}\.tmp 2. Change job state using BITSInject.py 3. Completely remove a job from queue using BITSInjerct.py 52

  53. MSRC: “...A malicious administrator can do much worse things.” 53

  54. Links BITSInject (Tool code + Parser): https://github.com/SafeBreach-Labs/BITSInject SimpleBITSServer: https://github.com/SafeBreach-Labs/SimpleBITSServer Email: dor.azouri@safebreach.com Twitter: @bemikre 54

Recommend


More recommend