At [1], the code retrieves a listing of all files in the random temporary directory.
At [2], it iterates over those files, and at [3] it deletes them.
At [4], it deletes the entire directory. Please note that the second argument is equal to false. This means that the directory deletion operation is not recursive, and later on we are going to abuse that.
When I fully analyzed the DumpDataReader constructor, I realized that there are multiple obstacles in the way of using this as our file write primitive:
• We can only extract files ending with dmp, whereas we need to drop a file with the specific name FUSE.Paxos.dll, as hardcoded in the DLL loading gadget.• Files will be removed right after the extraction.• Files are extracted to a path containing a GUID, and we can’t predict that path name, whereas we would need to provide a full path to the DLL loading gadget.• The attacker’s string (path) is verified with File.Exists. Later on, we will see how this is problematic.• We may need to extract more than one file, and we will see below how this also presents a minor difficulty.
You can see that the list is quite long, so the gadget appears useless at this point. However, I realized that the expand call itself is vulnerable to Argument Injection. I started playing with expand by testing various arguments, and it turned out that this injection was enough to bypass all the above restrictions! Now let us see how.
1. DumpDataReader: Extracting files with extension other than DMP
The first restriction that we want to bypass is the one that prevents extraction of files unless the filename ends with dmp. This is due to the-F switch provided to the expand utility:
expand -F:*dmp attacker-path C:\Windows\Temp\<random-guid>
Let’s consider a file f.cab that contains our malicious FUSE.Paxos.dll. We should not be able to extract it and preserve its name, due to the -F:*dmp argument. While playing around, I noticed that if either -r or -i is provided to expand, the -F argument is completely ignored! In the next screenshot, I have bypassed the extension-based protection by injecting the -i argument.
Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE
Related Posts
North Korean APT Bypasses DMARC for Cyber Espionage
COMMENTARYWith heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced…
Mistrial declared for ex-AT&T exec accused of bribing government official
A mistrial was declared today in the trial of former AT&T Illinois President Paul La Schiazza, who was accused of bribing a powerful state lawmaker’s ally in order to obtain…