CVE-2018-10959 - BeyondTrust - Untrusted Search Path
Mitre and NVD have recently made this 7.5 high severity CVE public, describing the vulnerability as an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.
The exact words within the CVE are:
Avecto Defendpoint 4 prior to 4.4 SR6 and 5 prior to 5.1 SR1 has an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.
Avecto has also identified this CVE in its release notes, which can be found here. They describe the fix as:
Added a check to ensure computer level environment variables cannot be overridden by user-defined environment variables.
However, neither of these descriptions provide enough detail to completely understand the vulnerability. Now that the nondisclosure window has passed and the CVE is publicly known, I would like to describe this vulnerability and exploit in more detail.
Avecto Privilege Guard
Avecto Privilege Guard is software used for endpoint privilege management. A common use case for this software is the scenario when a standard user needs limited administrative permissions. Rather than making the user an administrator, this software watches for programs to be executed, and if they match the configuration rules, automatically injects administrative permissions into the process’s security token.
Various rules and conditions can be used to identify which programs get this special treatment. Examples include file path, file name, trusted files (only files owned by administrators or SYSTEM), and digital signatures.
For this exploit, all rules that depend on the file path and include an environment variable as part of the path are vulnerable. For example, the following rule is vulnerable:
<Rule FilePath="%ProgramFiles%\Wireshark\Wireshark.exe" />
In this rule, whenever a standard user launches Wireshark, it would automatically be elevated by Avecto.
It should also be noted that the Avecto Management Console, which is a GUI front end for creating the rules file, automatically injects some System environment variables into paths when possible. Therefore, any rule that includes a file path of c:\Program Files is automatically converted to use the vulnerable %ProgramFiles% instead.
There are two types of Windows environment variables: User and System. User environment variables only apply to the current user logged in. System environment variables apply to all users of the computer. Windows has some default well-known System environment variables such as %SystemDrive%, %WinDir%, and %ProgramFiles% that typically resolve to C:, C:\Windows, and C:\Program Files respectively.
In the default scenario, when a System environment variable and User environment variable exist with identical names, the User environment variable takes precedence when referenced. It is due to this precedence ordering that this vulnerability exists.
Now it is time to exploit that Wireshark rule!
On the computer with this Wireshark rule in effect, %ProgramFiles% resolves to C:\Program Files. This means that when the standard user launches C:\Program Files\Wireshark\Wireshark.exe, this rule is matched and the process gets the administrator token injected by Avecto. This is the expected result.
To exploit as a standard user we need to create a User environment variable that matches. To do this, we launch a cmd prompt and run the following command:
setx ProgramFiles c:\Users\<StandardUser>\Desktop
This creates a user environment variable called ProgramFiles that points to an attacker’s writable folder.
Next, the rule file path directory is matched by creating a folder called Wireshark on the Desktop.
Finally, the attacker’s code is dropped into this folder and renamed to Wireshark.exe.
Now when the attacker’s code is launched, Avecto matches the rule to the attacker’s code and it automatically gives administrative permissions to the process launch. We have just exploited a Privilege Escalation vulnerability as any standard user can now launch any code with administrative permissions without needing to enter administrator credentials. From this point it is trivial to elevate to SYSTEM, giving complete ownership of the computer to the attacker.
As described in the release notes, the fix was fairly simple. Instead of using User environment variables before System environment variables when resolving rule file paths, the ordering has been switched. Now any standard Windows environment variables referenced in the rule file paths will always resolve to the correct System environment variable.
04/13/2018 - Discovered vulnerability.
04/23/2018 - Reported vulnerability to Avecto.
04/24/2018 - Avecto confirmed vulnerability.
05/09/2018 - Avecto released fix and release notes.
05/10/2018 - Mitre assigned a CVE number.
05/11/2018 - Avecto published updated release notes.
07/30/2018 - Nondisclosure agreement with Avecto expired.
01/14/2019 - Request to make the CVE public submitted to Mitre.
04/17/2019 - Mitre made the CVE public.