![]() The administrative access could be granted temporarily and only for one, specific action – like running a well-known, digitally signed software installer and nothing else. One could argue that this does create a few low-risk security problems. A couple of other popular ones are FileMonitor64.dll (Avanquest Powerdesk File Monitor) and fzshellext_64.dll (FileZilla). WinSCP’s DragExt64.dll is just one of several examples of cases we observed, when elevated LogonUI.exe loads extension DLLs from regular user directories that were discovered during the process. So just to be clear, the discussed LPE vector was created in result of a minor bug in WinSCP installer manifesting itself only when running elevated, whereas the elevation itself was totally legitimate. The answer was quickly discovered by trial-and-error approach – it turned out that if WinSCP installer was run with administrative privileges, it would create that registry entry regardless of whether the user chose installation for all users or for the current user only, ending up with the relevant registry entry pointing at the local user path to DragExt64.dll, as demonstrated in the screenshot below:Īs further investigation revealed, in all discovered cases local users did not have local administrator privileges on their systems, but they were allowed to temporarily obtain them using software known as Admin By Request – which is an interesting solution providing a compromise between security and flexibility, so users can still perform some administrative tasks, like installing software they need, but those permissions are temporary and granted only for explicitly requested operations. The question that remained, however, was why would in some cases when WinSCP was clearly deployed for the current user only, the path to the DragExt64.dll end up in a HKLM entry, which clearly requires administrative privileges to be written to. The event can be reproduced by triggering Winlogon to create a new instance of LogonUI.exe by interactively logging into the system, either after booting the system, waking it up from sleep/hibernation or just unlocking the desktop. The presence of that path in that registry entry causes LogonUI.exe to load the DLL file from the path pointed by that entry. When installing for all users, WinSCP installer (running as SYSTEM), creates a new string entry in the registry at HKLM\Software\Classes\Directory\ShellEx\CopyHookHandlers\WinSCPCopyHook, containing the full path to the DragExt64.dll ( C:\Program Files (x86)\WinSCP\DragExt64.dll by default) – which can be easily confirmed with either the registry editor or Sysinternals Autoruns. The second choice results in deployment into the current user’s %LOCALAPPDATA%\Programs\WinSCP directory and therefore does not require administrative privileges. The default and recommended option deploys WinSCP into C:\Program Files (x86)\WinSCP\ and therefore requires the installer to be run with administrative privileges. ![]() Further investigation revealed that in some systems that file could be found at C:\Program Files (x86)\WinSCP\DragExt64.dll, while in other systems the location was the local user %LOCALAPPDATA%\Programs\WinSCP folder – suggesting that the difference came from whether the user, during installation, chose “Install for all users (recommended)” or “Install for me only”, as demonstrated in the screenshot below: ![]() Since such DLL files are owned by the user (ownership by default inherited from the directory), but executed as SYSTEM, it was clear that this phenomenon created a potential vector for local privilege escalation, as simple as replacing the original DLL with a custom one, containing arbitrary code.įollowing up, it turned out that DragExt64.dll is an extension of WinSCP responsible for drag & drop support, distributed along with WinSCP. A couple of months ago, while analyzing one of our environments, we had noticed instances of the LogonUI.exe process – running as NT AUTHORITY/SYSTEM – loading a DLL file named DragExt64.dll from local user %LOCALAPPDATA%\Programs\WinSCP\ directories, e.g., C:\Users\bob\AppData\Local\Programs\WinSCP\DragExt64.dll.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |