Multiple vulnerabilities found in Capmon Access Manager

This blog post highlights critical vulnerabilities found in installed software during customer engagement. The process for this publication is aligned with the Improsec Responsible Disclosure Policy.

Timeline

  • Improsec discovered these vulnerabilities during customer engagement (Windows System Analysis) in September/October 2018.

  • The vulnerabilities were disclosed to the vendor, CapMon, on October 9, 2018.

  • On October 12, 2018, the public disclosure date of December 13, 2018, was agreed upon in collaboration with CapMon.

  • CapMon worked hard to get fixes implemented as fast as possible, and a few meetings were held with Improsec researchers to figure out how to approach fixing the issues.

  • On December 12, 2018, CapMon informed all Access Manager customers directly with this letter (in danish), that a new version of the software was available for download.

  • Unfortunately, Improsecs customer had issues deploying the software version, so in this particular Responsible Disclosure case, we had to wait for them before disclosing, as we would of course not leave them vulnerable to our findings.

  • By March 3, 2019, Improsec received confirmation from our customer, that a new version of Access Manager was successfully deployed in their environment.

  • Improsec released this blog post on March 5, 2019.

CVEs registered (see appendix for more details)

What is Access Manager?

Access Manager is a software capable of controlling/managing local privilege rights and allows temporary local privilege escalations for predefined local user groups. Access Manager is a rather simple framework and consists primarily of the following two modules:

  • AccessManagerCoreService.exe (henceforth referred to as ‘AMCS’)

  • TaskTrayApplication.exe (henceforth referred to as ‘TTA’)

Disclaimer: both applications were heavily packed and have been restored for analytic purposes, and as such, code-snippets presented in this blog-post may contain absurd names for variables and/or classes.

TaskTrayApplication.exe (TTA)

The TTA process is the front-end application of the framework, and the only graphical interface exposed by the software, with which the user can interact intuitively. The application is exposed to the user in the form of a system tray icon with two basic functionalities:

  • Left-click to request privilege escalation (i.e. request to become a local administrator)

  • Right-click for more options, as seen below:

System Tray from the TaskTrayApplication

Upon either left-clicking the application or selecting the “Request Administrative Privileges” option from the right-click menu, you will be presented with the following “Elevation Reason”-dialog:

After entering a reason for privilege escalation, the ATT process will communicate with the AMCS process, notifying it about the privilege escalation request, which will be handled in full by the AMCS process.

This communication is performed through a named pipe (Global\AccessManager). All commands requested by the TTA process are sent in a simple string-format as seen below:

Command|Parameter0|...|ParameterN

For a regular privilege escalation request, the following command is sent:

QueryElevate|Username

Let’s take a further look at how the AMCS process handles the request(s).

AccessManagerCoreService.exe (AMCS)

The AMCS process is a deployed service and is executing as the most-privileged local windows user, namely the Local System user (i.e. NT AUTHORITY\SYSTEM). The AMCS allows “clients” (e.g. the TTA process) to communicate with it through the two-way named pipe (Global\AccessManager).

The AMCS process has a server thread that waits for pipe connections, then handles requests based on the first argument/substring in the string (i.e. the command). In the case of ‘QueryElevate’, the following code is executed:

t0.PNG

The “Core.CanElevate”-function is responsible for checking if a user is a member of the necessary local usergroup(s) or AD usergroup(s) to perform a privilege escalation. If all preconditions are met, the “Core.CanElevate”-function invokes a function named “Core.DoElevate” as seen below:

t1.PNG

The “Core.DoElevate”-function will add the user to the local ‘Administrators’ group as seen below, thus escalating the privileges of the user. Under normal circumstances, this elevation is limited to a small time frame (e.g. 2 minutes).

t2.PNG

Now that we know the basic functionality of the software, and how it works - let’s look at how we can abuse this!

How does being able to click a button make the application exploitable?

Looking through the pipe-thread in the AMCS application, we see a list of “sketchy” functionality that performs direct administrator-elevation (adds the user directly to the local Administrators group) or calls the “Core.DoElevate”-function directly, thus effectively circumventing the “Core.CanElevate”-function:

t7.PNG
 

Furthermore, some of these commands even skip the timeout-timer, such that the privilege escalation is persistent, and hence doesn’t decay. For example, the “DoEAL” (short for “Do Elevation At Login”) allows the requesting client to specify if they want to disable the timer with a boolean parameter, and the “CALScriptInit” (short for “Custom App Launcher Script Initialize”) will add the user directly to the ‘Administrators’ group without performing any sanity checks or notifying any timer events. These are all massive flaws, as one can simply communicate with the AMCS service directly, thus obtaining (persistent) local administrator privileges regardless of usergroup membership(s) or previous privileges.

However, as severely problematic as this may all seem, there is still an even bigger security flaw in this software - all these commands “only” grants local administrator privilege. There is a command that allows for even higher privilege escalation - namely the “CALScriptDRUN” command:

t9.PNG

This function is meant for running “login scripts”, and will call a sub-function to spawn a command prompt that spawns our script/application (specified as the 2nd argument) with our given command line arguments (specified as the 3rd argument). Now that doesn’t sound too dangerous, does it?

t8.PNG

It’s not actually dangerous that it simply spawns our specified application - in fact, we could do that by ourselves as well. The danger arises with the context in which it spawns it. As can be seen in the snippet above, it first obtains a handle to the process token from the “winlogon” process, then uses this to token to spawn our application to be running under the same user.

What’s really important to note here, is that the WinLogon process always runs under the Local System (NT AUTHORITY\SYSTEM) user, which is the utmost highest privileged windows user account.

This in turn means we can actually spawn any specified application(s) in a Local System context. This is really dangerous.






Can I exploit these commands without rebuilding the communication channel?

Surely this was the initial approach we took (proof-of-concept code can be found at the end of this post), but some of the functionality is actually accessible without an overly-technical approach. The “CALScriptInit” and “CALScriptDRUN” commands can be accessed directly through an executable shipped with the AccessManager framework named “CALRunElevated.exe”.

This application supports the following two command line arguments:

  • [short: -s] --system

  • [short: -c] --cmd <path to executable>






The --cmd argument specifies a file/script to run in an elevated state. The application will temporarily add the user to the local ‘Administrators’ security group, spawn the target application, then remove the user from the local ‘Administrators’ group. However, if you pass an invalid path as a parameter to the --cmd argument, the application will crash after having added the current user the security group, before removing the user from the group. This means you have effectively acquired persistent local administrator privileges.

The --system argument is a “switch” that tells the application that you wish to use the CALScriptDRUN-command behind-the-scenes (rather than the regular script elevation scheme, which uses CALScriptInit and CALScriptUninit). This means that your target will effectively be executed under the Local System user.

As proven above, anyone can abuse these vulnerabilities without any functional technical knowledge.






Recommendations

Make sure you are running the latest version of the product, which should no longer be vulnerable to these exploits. However, Improsec has not tested this explicitly.






Appendix

Proof of Concept code

  • As promised, here is the proof-of-concept script, written in PowerShell.

CVE #1

  • Improsec ID: 2018-016

  • Mitre CVE ID: CVE-2018-18252

  • Title: Access Manager - CALRunElevated.exe to SYSTEM rights

  • Product name: Access Manager

  • Product vendor: CapMon A/S

  • Tested version: 5.4.1.1005, but probably works on other/older versions as well

  • Vulnerability Type: Incorrect Access Control

  • Affected Component(s): CALRunElevated.exe

  • Attack Type: Local

  • Impact: Escalation of Privileges

  • Description:

    The TaskTrayApplication has a feature called Custom App Launcher (CAL) which executes a selected application in an elevated state.

    This is done through the AccessManagerCoreService.exe service, which is responsible for creating the actual process.

    If the 'CALBypassUAC'-setting is configured to '0' (false), the service will add the user to the local administrator group before creating the elevated process. While the process creation prompts for user credentials, other commands/applications can be executed as local administrator.

    In other words, if any allowlisted applications exists (and are executable), the user can gain local administrator privileges.

    This functionality has no privilege prerequisites.

  • Attack Vectors:

    A regular user (authorized for AccessManager or not) can obtain "NT AUTHORITY\SYSTEM" privileges if they run CALRunElevated.exe with the correct parameters.

    This vulnerability can easily be exploited by a malicious user or automated by malware.

  • Exploitation steps:

    1: Run CALRunElevated.exe with argument "--cmd <target> --system" or "-c <target> -s"

    2: The application is now operating under the "NT AUTHORITY\SYSTEM" user

    Example: The following command will spawn a shell in "NT AUTHORITY\SYSTEM" context: "CALRunElevated.exe -c cmd -s"

  • Discoverers/Researchers:

    • Security Advisor Jakob H. Heidelberg, Improsec A/S

CVE #2

  • Improsec ID: 2018-017

  • Mitre CVE ID: CVE-2018-18253

  • Title: Access Manager - CALRunElevated.exe to Local Admin rights (randomstring)

  • Product name: Access Manager

  • Product vendor: CapMon A/S

  • Tested version: 5.4.1.1005, but probably works on other/older versions as well

  • Vulnerability Type: Incorrect Access Control

  • Affected Component(s): CALRunElevated.exe

  • Attack Type: Local

  • Impact: Escalation of Privileges

  • Description:

    CALRunElevated.exe from the AccessManager suite requires a parameter called "--cmd <path>" (short "-c <path>").

    The "-c <path>" parameter specifies a path to a target application, to be run with local administrator privileges.

    AccessManager will perform the following tasks (in the given order):

    -> Add user to the local administrator group

    -> Run the target application

    -> Remove user from the local administrator group

    Passing an invalid path as argument to the "-c <path>" option will cause the application to throw an exception (and crash), as no input validation or error handling is in place.

    This crash will occur after having added the user to the local administrator group but before removing the user.

    The user is now part of the local administrator group.

    It must be noted, that there's a race condition in the way the elevation functionality has been designed, as a malware could monitor the local administrators group and wait to fully execute until the user becomes part of the group, even if it's just split seconds.

    This parameter has no privilege prerequisites.

  • Attack Vectors:

    A regular user can obtain local administrator privileges if they run CALRunElevated.exe with certain parameters.

    This vulnerability can easily be exploited by a malicious user or automated by malware.

  • Exploitation steps:

    1: Run CALRunElevated.exe with argument "--cmd <random faulty path string>"

    2: The user is now now part of the local administrator group

    Example: "CALRunElevated.exe -cmd randomstring"

  • Discoverers/Researchers:

    • Security Advisor Jakob H. Heidelberg, Improsec A/S

CVE #3

  • Improsec ID: 2018-018

  • Mitre CVE ID: CVE-2018-18254

  • Title: Access Manager - If an allowlisted app path is writable it will process with Local Admin rights

  • Product name: Access Manager

  • Product vendor: CapMon A/S

  • Tested version: 5.4.1.1005, but probably works on other/older versions as well

  • Vulnerability Type: Incorrect Access Control

  • Affected Component(s): AccessManagerCoreService.exe & TaskTrayApplication.exe

  • Attack Type: Local

  • Impact: Escalation of Privileges

  • Description:

    The AccessManager suite consists of a server (AccessManagerCoreService.exe) and a client (TaskTrayApplication.exe).

    The client can invoke a feature called "Custom App Launcher" (short "CAL") in the server.

    The server uses a SQLite3 database containing a table called "cal_whitelist".

    All applications listed in this table has been approved for elevated execution by the CAL feature.

    A regular user has permission to read the database-file, and can hence query the database for a list of these applications.

    If any of the applications listed exist in (or at least points to) a location that the user can write to, that user can potentially overwrite an application with a malicious file and launch it in an elevated state through the CAL feature.

    This functionality has no privilege prerequisites.

  • Attack Vectors:

    A regular user can, under certain circumstances, launch a target executable in an elevated state.

    This vulnerability can be exploited by a malicious user and potentially be automated by malware.

  • Exploitation steps:

    1: Open the database ("C:\ProgramData\AccessManager\db.dat") with SQLite3

    2: Query the white-list table ("select * from cal_whitelist;")

    3: Place a malicious executable at one of the paths shown by the query (if any)

    4: Use the "Custom App Launcher" feature of TaskTrayApplication.exe

    5: The malicious executable is now running in an elevated state

  • Discoverers/Researchers:

    • Junior Security Advisor, Valdemar Carøe, Improsec A/S

CVE #4

  • Improsec ID: 2018-019

  • Mitre CVE ID: CVE-2018-18255

  • Title: Access Manager - AccessManagerCoreService.exe can be called direct

  • Product name: Access Manager

  • Product vendor: CapMon A/S

  • Tested version: 5.4.1.1005, but probably works on other/older versions as well

  • Vulnerability Type: Incorrect Access Control

  • Affected Component(s): AccessManagerCoreService.exe

  • Attack Type: Local

  • Impact: Escalation of Privileges

  • Description:

    The AccessManager suite's functionality depends mainly on the AccessManagerCoreService.exe service server.

    The client-applications of the AccessManager suite communicates with this server through named pipes.

    A user can initiate communication with the server by creating a named pipe and start sending commands.

    Through the named pipe, the following commands can be sent to achieve elevated privileges:

    -> InitE (local administrator privileges)

    -> DoEAL (local administrator privileges)

    -> CALScriptInit (local administrator privileges)

    -> CALScriptDRUN ("NT AUTHORITY\SYSTEM" privileges)

    These commands have no privilege prerequisites.

  • Attack Vectors:

    A regular user can obtain elevated privileges (local administrator or "NT AUTHORITY\SYSTEM") by sending commands to the AccessManagerCoreService.exe service over the named pipe.

    This vulnerability can be exploited by a malicious user or automated by malware.

  • Exploitation steps:

    1: Create a named pipe client and connect to "Global\AccessManager"

    2: Send the command "InitE|<username>"

    2a: The user (<username>) is now part of the local administrator group

    3: Send the command "DoEAL|<username>|<timer>" (timer : 0 = enabled, 1 = disabled)

    3a: The user (<username>) is now part of the local administrator group

    4: Send the command "CALScriptInit|<username>|<application>|<arguments>" (application and arguments can be empty)

    4a: The user (<username>) is now part of the local administrator group

    4: Send the command "CALScriptDRUN|<application>|<arguments>

    4a: The executable (<application>) is now running under the "NT AUTHORITY\SYSTEM" user

  • Discoverers/Researchers:

    • Junior Security Advisor, Valdemar Carøe, Improsec A/S

CVE #5

  • Improsec ID: 2018-020

  • Mitre CVE ID: CVE-2018-18256

  • Title: Access Manager - A single Whitelisted App means Local Admin rights

  • Product name: Access Manager

  • Product vendor: CapMon A/S

  • Tested version: 5.4.1.1005, but probably works on other/older versions as well

  • Vulnerability Type: Incorrect Access Control

  • Affected Component(s): AccessManagerCoreService.exe & TaskTrayApplication.exe

  • Attack Type: Local

  • Impact: Escalation of Privileges

  • Description:

    The TaskTrayApplication has a feature called Custom App Launcher (CAL) which executes a selected application in an elevated state.

    This is done through the AccessManagerCoreService.exe service, which is responsible for creating the actual process.

    If the 'CALBypassUAC'-setting is configured to '0' (false), the service will add the user to the local administrator group before creating the elevated process. While the process creation prompts for user credentials, other commands/applications can be executed as a local administrator.

    In other words, if any allowlisted applications exist (and are executable), the user can gain local administrator privileges.

    This functionality has no privilege prerequisites.

  • Attack Vectors:

    A regular user can obtain local administrator privileges if they run any allowlisted application through the Custom App Launcher

    This vulnerability can easily be exploited by a malicious user.

  • Exploitation steps:

    1: Access the "Custom App Launcher" part of TaskTrayApplication.exe

    2: Select a allowlisted application from the list (don't type credentials in the prompt)

    3: The user is now part of the local administrator group and can launch (other) code as a local administrator

  • Discoverers/Researchers:

    • Junior Security Advisor, Valdemar Carøe, Improsec A/S

    • Security Advisor Jakob H. Heidelberg, Improsec A/S


Updated March 07, 2019, to reflect details of each CVE (appendix expanded).