Exploitalert - Database of Exploits

Microsoft Windows Local WebDAV NTLM Reflection Privilege Escalation

CVE	Category	Price	Severity
CVE-2020-2409	CWE-287	$10,000 - $25,000	High

Author	Risk	Exploitation Type	Date
Dheeraj Palagiri	High	Local	2015-03-25

CVSS	EPSS	EPSSP
CVSS:5.8/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2015030176

Windows Local WebDAV NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update, Windows 7 Class: Elevation of Privilege Disclosure Date: 18th March 2015 Reference: https://code.google.com/p/google-security-research/issues/detail?id=222 Summary: A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system. It can also be used to escape application sandboxes if TCP socket access is not blocked. This issue was reported to Microsoft Security Response Center in December 2014. Microsoft have decided not to change the default behaviour to fix this issue, therefore all current Windows client platforms are vulnerable to this privilege escalation unless mitigations are applied. Description: NTLM reflection is a well known issue with Windows authentication. It's typically abused in networked scenarios to reflect credentials from one machine to another. It used to be possible to reflect credentials back to the same machine but that was mitigated in MS08-068 by not honouring NTLM authentication sessions already in flight. However this did nothing to stop cross-protocol attacks. It's possible to abuse cross-protocol NTLM reflection to attack the local SMB server by forcing a local system process to access a WebDAV UNC path. The NTLM authentication can then be reflected locally authenticating to the Server service as NT AUTHORITY\SYSTEM. From this it's possible to elevate privileges by writing files to the admin shares or connecting to the service manager named pipe. This issue is known about and mitigations were created, such as Extended Protection for Authentication. However due to compatibility concerns these mitigations are not enabled by default. As Microsoft will not be issuing a security bulletin for this issue following the mitigation guidance below. Mitigations: By default all Windows client installations are vulnerable. Even though the WebClient service is not started by default it's possible to start it using service triggers. The recommended fixes for this issue are: * Enable SMB signing, or, * Enable SMB Server SPN verification Please see the following references for more information on the issue and how to configure the mitigations. Security Advisory: https://technet.microsoft.com/library/security/973811 KB Article: http://support.microsoft.com/kb/973811 SMB EPA KB article http://support.microsoft.com/kb/2345886 You can also disable the WebClient service completely, however that only mitigates this specific expression, it might be possible to achieve the exploitation in other ways, such as DCE/RPC. Disclosure Timeline: - 18 Dec 2014: Sent Microsoft details of issue and proof-of-concept - 18 Dec 2014: Received confirmation and MSRC case number 21243 - 20 Jan 2015: Received correspondence from Microsoft detailing their thoughts that it's a known issue and due to application compatibility concerns mitigations default to off - 20 Jan 2015: Requested clarification on whether Microsoft intended to fix the issue or not - 10 Mar 2015: Notified Microsoft of the upcoming 90 day deadline - 18 Mar 2015: Got final response from Microsoft indicating they would not be fixing the issue and consider mitigations sufficient - 18 Mar 2015: Marked as WontFix and removed view restriction on the issue

Impressum