BITSInject Control your BITS, get SYSTEM Dor Azouri Security - - PowerPoint PPT Presentation

bitsinject
SMART_READER_LITE
LIVE PREVIEW

BITSInject Control your BITS, get SYSTEM Dor Azouri Security - - PowerPoint PPT Presentation

Mar 12, 2024 188 likes •740 views

BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach Background Intelligent Transfer Service 2 A couple more bits about BITS Available since 2001 (Windows XP) Most known use: Windows Update Advanced

slide-1
SLIDE 1

BITSInject

Control your BITS, get SYSTEM

Dor Azouri Security Researcher @SafeBreach

slide-2
SLIDE 2

Background Intelligent Transfer Service

2

slide-3
SLIDE 3

A couple more bits about BITS

Available since 2001 (Windows XP) Most known use: Windows Update Advanced features

3

slide-4
SLIDE 4

A couple more bits about BITS

Available since 2001 (Windows XP) Most known use: Windows Update Advanced features

4

slide-5
SLIDE 5

DEMO Software updating itself using BITS

5

slide-6
SLIDE 6

TOOL DEMO #1 BITSInject to open an interactive shell as NT AUTHORITY\SYSTEM, in session 0

6

slide-7
SLIDE 7

7

slide-8
SLIDE 8

BITS Background & Terms

PowerShell bitsadmin 3rd-party

8

slide-9
SLIDE 9

BITS Background & Terms

PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply

9

slide-10
SLIDE 10

BITS Background & Terms

PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll

10

slide-11
SLIDE 11

BITS Background & Terms

PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll

11

slide-12
SLIDE 12

BITS Background & Terms

PowerShell bitsadmin 3rd-party BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll

State File

12

slide-13
SLIDE 13

Known Malicious Uses

BITS as a malware downloader As a persistency mechanism (e.g. DNSChanger/Zlob.Q) As C&C communication

13

slide-14
SLIDE 14

The inspiration? the way WU downloads and installs updates The drive? Jealousy … of how WU adds SYSTEM jobs

14

slide-15
SLIDE 15

Some of LocalSystem Privileges

15

  • Can open the registry key HKLM\SECURITY and SAM
  • On a DC - has unrestricted access to AD Domain Service
  • Has the network privileges of the machine
  • Covert identity
slide-16
SLIDE 16

Some of LocalSystem Privileges

16

[SYSTEM whoami] - [Administrator whoami] =

SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeTcbPrivilege SeCreatePermanentPrivilege SeAuditPrivilege

slide-17
SLIDE 17

The Abuse

17

slide-18
SLIDE 18

The Enabling Feature

SetNotifyCmdLine

18

slide-19
SLIDE 19

Naive Try - PSEXEC

bitsadmin /CREATE I_WANT_YOUR_SYSTEM bitsadmin /ADDFILE I_WANT_YOUR_SYSTEM http://site.com/software.exe c:\temp\software.exe

19

slide-20
SLIDE 20

God Created a Rock He Can’t Pick Up

bitsadmin /CANCEL I_WANT_YOUR_SYSTEM Unable to add file to job - 0x800704dd

The operation being requested was not performed because the user has not logged on to the network

20

slide-21
SLIDE 21

How does wuaueng do the things it does?

CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload

21

slide-22
SLIDE 22

How does wuaueng do the things it does?

CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload

22

slide-23
SLIDE 23

Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd)

Going after wuaueng

23

slide-24
SLIDE 24

Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd)

Reason: bad pairing of {Client SID} and {Session ID} Solution: Fake {Session ID}

Going after wuaueng

24

slide-25
SLIDE 25

Checkpoint #1 - AccessCheck

One of the functions at the heart of the Windows security model It is boolean: GRANT or DENY ➔ IServerSecurity::CoImpersonateClient ➔ Impersonation token is checked against the job’s security descriptor ➔ IServerSecurity::CoRevertToself

slide-26
SLIDE 26

Checkpoint #1 - AccessCheck

slide-27
SLIDE 27

Checkpoint #2 - Active Logon

BITS requires the requesting user to be logged on for a job to continue operation

C:\Windows\system32>qwinsta

SESSIONNAME USERNAME ID STATE TYPE DEVICE Disc >console 1 1 Active Rdp-tcp 65536 Listen

slide-28
SLIDE 28

Faking Session ID

SwitchToLogonToken {Client SID} =

(From Job object)

{Session ID} = 1

GetTokenInformation(12)

CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID}

28

slide-29
SLIDE 29

Faking Session ID

SwitchToLogonToken {Client SID} =

(From Job object)

{Session ID} = 1

GetTokenInformation(12)

CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID}

{SYSTEM} is NOT logged

  • n in session {1}

29

slide-30
SLIDE 30

Faking Session ID

1. Breakpoint is placed just before the call to CJobManager::CloneUserToken 2. Run CMD/PowerShell as SYSTEM using psexec: 3. Got to breakpoint. Change the return value of the GetTokenInformation call to 0, which is the SYSTEM session ID (WinDbg):

30

Bitsadmin /create I_WANT_YOUR_SYSTEM Bitsadmin /addfile I_WANT_YOUR_SYSTEM <URL> <DestinationFile> Memory change: [rsp+20h]=0

slide-31
SLIDE 31

Faking Session ID

SwitchToLogonToken {Client SID} =

(From Job object)

{Session ID} =

GetTokenInformation(12)

CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} {Session ID} = 0

31

slide-32
SLIDE 32

CNestedImpersonation::*

Takes care of the token manipulations CNestedImpersonation::Impersonate(void) ➔ Uses ImpersonateLoggedOnUser(HANDLE hToken) The desired action is with impersonation, and then back to self

32

slide-33
SLIDE 33

public enum JOB_STATE { Queued, Connecting, Transferring, → Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown };

33

slide-34
SLIDE 34

The State File is the Supervisor

Represents the job queue

C:\ProgramData\Microsoft\Network\Downloader\(qmgr0.dat|qmgr1.dat)

Alternated update, current is:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex

34

slide-35
SLIDE 35

The State File

  • Straight-forward

e.g. string representation:

CJob::Serialize(class CQmgrWriteStateFile &) calls CQmgrStateFiles::Write(void const *,ulong) for each job property

  • Unencrypted
  • Partially protected

07 00 00 00 ‘S’ 00 ‘Y’ 00 ‘S’ 00 ‘T’ 00 ‘E’ 00 ‘M’ 00 00 00

35

slide-36
SLIDE 36

public enum JOB_STATE { Queued, Connecting, Transferring, Suspended, Error, TransientError, Transferred, Acknowledged, Cancelled, Unknown };

36

slide-37
SLIDE 37

sc stop bits timeout 5 del /Q /F C:\ProgramData\Microsoft\Network\Downloader\*

>> Put modified state file

sc start bits

37

slide-38
SLIDE 38

38

slide-39
SLIDE 39

39

slide-40
SLIDE 40

40

SID Name (Level) Use

S-1-16-0x0

Untrusted (0)

Used by processes started by the Anonymous group. It blocks most write access.

S-1-16-0x1000

Low (1)

Used by Protected Mode Internet Explorer.

S-1-16-0x2000

Medium (2)

Used by normal applications being launched while UAC is enabled.

S-1-16-0x3000

High (3)

applications launched UAC elevation, or if UAC is disabled and the user is an administrator.

S-1-16-0x4000

System (4)

Used by services and other system-level applications (Wininit, Winlogon, Smss...).

slide-41
SLIDE 41

Migration of the Queue

Just copy-paste the state files between machines Windows 7 Header:

F5 6A 19 2B 7C 00 8F 43 8D 12 1C FC A4 CC 9B 76

Windows 10 Header:

28 32 ED 09 A6 C7 E9 45 8F 6D 36 D9 46 C2 7C 3E 00 00 00 00 00 00 00 00

41

slide-42
SLIDE 42

42

slide-43
SLIDE 43

A Cleaner Method

Version Dependent Header State File Header Queue Header Jobs Counter = n Job Header Job #0 Job Footer ... Job Header Job #n Job Footer Queue Footer Job Header Job #x Job Footer

n++

43

slide-44
SLIDE 44

BITSInject

Injects a job with LocalSystem as owner Job is removed when finished Allows editing some of the job’s parameters, more in the future

44

slide-45
SLIDE 45

Interactive Services Detection - UI0Detect

sc stop UI0Detect reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows /v NoInteractiveServices /t REG_DWORD /d 1 /f sc start UI0Detect

OR Non-interactive exe

slide-46
SLIDE 46

TOOL DEMO #2 BITSInject non-interactive command

46

slide-47
SLIDE 47

SimpleBITSServer

A simple python implementation of a BITS server Can respond without a Content-Length header Accelerating the method by pushing job into the ERROR state * On Windows 10: Fake VSN to avoid network traffic

47

slide-48
SLIDE 48

The Enabling Conditions

  • Relying on state file data without verification
  • Lack of unique machine identification
  • File permissions integrity
  • Clear, straight-forward object serialization to disk

48

slide-49
SLIDE 49

Other Potential Abuses

Interfere with a software update job: 1. WU-choking using file name exhaustion:

C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp

49

slide-50
SLIDE 50

Other Potential Abuses

Interfere with a software update job: 1. WU-choking using file name exhaustion:

C:\Windows\SoftwareDistribution\Download\GUID\BIT[0-9A-F]{1,4}\.tmp

69,904

50

slide-51
SLIDE 51

Other Potential Abuses

Interfere with a software update job: 1. WU-choking using file name exhaustion:

51

slide-52
SLIDE 52

Other Potential Abuses

Interfere with a software update job: 1. WU-choking using file name exhaustion: BIT[0-9A-F]{1,4}\.tmp 2. Change job state using BITSInject.py 3. Completely remove a job from queue using BITSInjerct.py

52

slide-53
SLIDE 53

MSRC: “...A malicious administrator can do much worse things.”

53

slide-54
SLIDE 54

Links

BITSInject (Tool code + Parser): https://github.com/SafeBreach-Labs/BITSInject SimpleBITSServer: https://github.com/SafeBreach-Labs/SimpleBITSServer Email: dor.azouri@safebreach.com Twitter: @bemikre

54