Windows: Impersonation Check Bypass with MRXDAV

[GoogleCodeExporter]

Title: Windows: Impersonation Check Bypass with MRXDAV
Platform: Windows 7, 8.1 Update 32/64 bit
Class: Security Bypass

The implementation of WebDAV consists of two parts, a user-mode service which 
implements the majority of the functionality and a kernel mode driver which 
acts to interface with the redirector driver. The driver and user-mode devices 
communicate using FS/Device control codes.

There's a bug in the way that the driver verifies that the caller has 
sufficient permissions to communicate with the driver. It performs effectively:

LUID luid;
SeCaptureSubjectContext(&ctx)
SeQueryAuthenticationId(SeQuerySubjectContextToken(&ctx), &luid);
if(luid == LocalSystemLUID)
{
   local_system = true;
}

The code makes no verification that the caller isn't impersonating local system 
at identification level. This allows a normal user to capture a system token 
and (from what I can tell) pretend to be the WebClient service, which might 
lead to a significant amount of unexpected behaviour such as implementing 
custom filesystem semantics.

Attached is a simple PoC which demonstrates the issue. It sends the control 
code 0x140394 to the webdav redirector driver. To reproduce follow the steps.

1) Ensure the WebClient service and MRXDAV.SYS drivers are running. This can be 
achieved through manual starting or navigating to a webdav share such as 
\\live.sysinternals.com\tools. 
2) Execute TestWebDAV.exe from the command line as a normal, non-admin user
3) The program should print, "Sent request, should have got access denied" if 
it succeeded. 

Expected result: 
The DeviceIoControl should fail with ERROR_ACCESS_DENIED

Observed result:
The DeviceIoControl succeeds 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 24 Oct 2014 at 3:07

Attachments:

• Poc_TestWebDav.zip

[GoogleCodeExporter]

Original comment by fors...@google.com on 24 Oct 2014 at 9:48

• Added labels: MSRC-20915
• Removed labels: ****

[GoogleCodeExporter]

Original comment by fors...@google.com on 28 Nov 2014 at 9:23

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by fors...@google.com on 2 Dec 2014 at 11:10

• Added labels: Product-Windows-Kernel
• Removed labels: Product-Windows

[GoogleCodeExporter]

Correspondance Date: 29 Oct 2014

< Microsoft informs us that they've reproduced the issue and it seems likely 
that's it will be a bulletin class issue but they state that they will get back 
to us with confirmation soon soon. 

Original comment by fors...@google.com on 13 Jan 2015 at 12:38

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Fixed in https://technet.microsoft.com/en-us/library/security/ms15-008.aspx

Original comment by fors...@google.com on 13 Jan 2015 at 6:45

• Added labels: CVE-2015-0011
• Removed labels: ****

[GoogleCodeExporter]

Original comment by fors...@google.com on 16 Jan 2015 at 4:25

• Changed state: Fixed
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Removing view restriction.

Original comment by fors...@google.com on 20 Jan 2015 at 6:03

• Added labels: ****
• Removed labels: Restrict-View-Commit