{"id":305,"date":"2020-09-11T12:57:19","date_gmt":"2020-09-11T12:57:19","guid":{"rendered":"http:\/\/labs.redyops.com\/?p=305"},"modified":"2021-10-06T06:40:27","modified_gmt":"2021-10-06T06:40:27","slug":"ibm-qradar-wincollect-escalation-of-privileges-cve-2020-4485-cve-2020-4486","status":"publish","type":"post","link":"https:\/\/labs.redyops.com\/index.php\/2020\/09\/11\/ibm-qradar-wincollect-escalation-of-privileges-cve-2020-4485-cve-2020-4486\/","title":{"rendered":"IBM QRadar Wincollect Escalation of Privilege (CVE-2020-4485 & CVE-2020-4486)"},"content":{"rendered":"
<\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/div><\/div>\n\n\n\n

Summary<\/strong><\/h1>\n\n\n\n

Assigned CVE<\/strong>: CVE-2020-4485 and CVE-2020-4486<\/em> have been assigned and RedyOps Labs has been publicly acknowledged by the vendor.<\/p>\n\n\n\n

Known to Neurosoft’s RedyOps Labs since<\/strong>: 13\/05\/2020<\/p>\n\n\n\n

Exploit<\/strong> Code<\/strong>: N\/A<\/p>\n\n\n\n

Vendor’s Advisory<\/strong>: https:\/\/www.ibm.com\/support\/pages\/node\/6257885<\/a><\/p>\n\n\n\n

An Elevation of Privilege (EoP) exists in IBM QRadar Wincollect 7.2.0 – 7.2.9 . The vulnerability described gives the ability to a low privileged user to delete any file from the System and disable the Wincollect service. This arbitrary delete vulnerability can be leveraged in order to gain access as NT AUTHORITY\\SYSTEM. During the exploitation, the attacker disables the Wincollect service. <\/p>\n\n\n\n

Description<\/strong><\/h1>\n\n\n\n

There are two distinct root causes which can lead to the same issue (arbitrary delete):
After the installation of the WinCollect, the installer remains under the folder c:\\Windows\\Installer . Any user with low privileges can run the installer with the following command:<\/p>\n\n\n\n

msiexec \/fa c:\\Windows\\Installer****.msi<\/code><\/pre>\n\n\n\n
The WinCollect\u2019s installer, although it will eventually fail when executed by a low privileged user, it will create log files under the User\u2019s Temp folder. <\/p>\n\n\n\n
At some point, the installer will try to delete those log files as SYSTEM. As long as the user controls the files in his Temp folder (C:\\Users\\username\\AppData\\Local\\Temp), they can create a symlink targeting any file in the system. When the installer tries to delete these files, it will follow the symlink and will perform the delete actions as SYSTEM.<\/p>\n\n\n\n
Even if the symlinks are mitigated in the future by Microsoft, an attacker can achieve the arbitrary delete by editing the file ~xxxx.tmp<\/strong> . <\/p>\n\n\n\n
The file C:\\Users\\username\\AppData\\Local\\Temp\\~xxxx.tmp<\/strong> where xxxx is a random hex, ends with the lines:<\/p>\n\n\n\n
[SearchRepalceTargetBackupFiles]\nC:\\Program Files\\IBM\\WinCollect\\config\\CmdLine.txt=C:\\Users\\attacker\\AppData\\Local\\Temp_isFD30\nC:\\Program Files\\IBM\\WinCollect\\config\\logconfig_template.xml=C:\\Users\\attacker\\AppData\\Local\\Temp_isFD8F\nC:\\Program Files\\IBM\\WinCollect\\templates\\tmplt_AgentCore.xml=C:\\Users\\attacker\\AppData\\Local\\Temp_isFDAF<\/code><\/pre>\n\n\n\n
An attacker can edit these lines and add the files he wants to delete. For example:<\/p>\n\n\n\n
[SearchRepalceTargetBackupFiles]\nC:\\Program Files\\IBM\\WinCollect\\config\\CmdLine.txt=C:\\windows\\win.ini\nC:\\Program Files\\IBM\\WinCollect\\config\\logconfig_template.xml=C:\\Users\\Admin\\whatever.exe\nC:\\Program Files\\IBM\\WinCollect\\templates\\tmplt_AgentCore.xml=C:\\Users\\anotheruser\\logs.txt<\/code><\/pre>\n\n\n\n
When we cancel the installer, these files will be deleted as SYSTEM.<\/p>\n\n\n\n
As a bonus, during this process, the wincollect service will stop and will remain stopped, until we cancel the operation.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Exploitation<\/strong><\/h1>\n\n\n\n
In order to Exploit the issue, no special program is needed . <\/p>\n\n\n\n
In the following paragraph, a step by step explanation of the Video PoC is provided.<\/p>\n\n\n\n
Please note, that the vulnerability of the IBM QRadar Wincollect ends when we delete the WER folder (or any other file\/folder you want to delete). <\/p>\n\n\n\n
The use of the arbitrary delete issues, in order to escalate to SYSTEM, is irrelevant to this vulnerability and it is an MS Windows issue. This technique has been described by Jonas L<\/a> in his blogpost https:\/\/secret.club\/2020\/04\/23\/directory-deletion-shell.html <\/a><\/p>\n\n\n\n
The delete.exe is an implementation of this technique, which can be found in my github repo https:\/\/github.com\/DimopoulosElias\/Primitives<\/a> <\/p>\n\n\n\n
Video PoC Step By Step<\/strong><\/h1>\n\n\n\n
\n