Privilege Escalation to System User on Windows 10 using CVE-2019-1405 and CVE-2019-1322

Author: Vuong Doan Minh, Software Engineer, OPSWAT

Introduction

Privilege escalation is a type of exploit that provides malicious actors with elevated access rights to protected resources in an application or operating system.

Exploit Description

CVE-2019-1405 can be used to elevate privileges of any local user to local service user. 

CVE-2019-1322 can be used to elevate privileges of local service user to local system user.

Therefore, combining both CVEs into one exploit enables the elevation of privileges of any local user to a system user.

These vulnerabilities affect computers running Microsoft Windows 10 1803 and above that have not been updated to the latest patch or to the November 12th, 2019 security update patch [1][2].

Potential Effect

It is very dangerous for organizations because there are many ways to gain access to any machine inside an organization. For example, in an organization using a domain controller, any user can log in to any machine in the domain if he has physical access to it. He can only access data limited to his user account on the machine. But by using these vulnerabilities, he can create elevated processes to:

  • Add new user accounts to the Administration group to access confidential resources.
  • Install backdoors and malicious programs on victim's machine for later exploits.
  • View, change, or delete any data.

How OPSWAT Help You Detect the Vulnerabilities

MetaAccess can detect devices that have the vulnerabilities and provide remediation instructions.

After installing OPSWAT Client, it will detect vulnerabilities on endpoints and report to MetaAccess. MetaAccess will analyze the data and notify end-users if any vulnerability is found along with helpful instructions to remediate detected ones. Administrators can also manage all vulnerable devices via MetaAccess web console.

MetaDefender Core with file-based vulnerability assessment technology can detect vulnerabilities in binary files on endpoints. MetaDefender Core provides APIs which can be used to integrate with other services to scan files. For example: scanning files going in and out of your organization's network.

  • If the vulnerable file is among system files then it's a sign that you should update your system.
  • If the vulnerable file is software program's files then you should update your software or consider uninstalling the software temporarily.
  • If an installer is vulnerable then you should not install it to any machine in your organization.
  • If a library file in your project is vulnerable then you should find the latest patched version of the library or stop using it if there's no patch for the vulnerabilities.

How to Exploit?

The exploit code for this vulnerability can be found at https://www.exploit-db.com/exploits/47684, as a module of Metasploit framework of Rapid7 [3].

Exploit demo: 

  • Attacker machine: Kali Linux. 
  • Victim machine: Windows 10 1803 x64
  • The demo supposes the attacker has already have access to the victim's machine.

Remediation

It is strongly recommended that you always keep Windows up-to-date, especially security-related updates (KB); or at least applying security patches up to November 2019.

References

[1] "CVE-2019-1405 | Windows UPnP Service Elevation of Privilege Vulnerability". Available: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405.

[2] "CVE-2019-1322 | Microsoft Windows Elevation of Privilege Vulnerability". Available: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1322.

[3] "Metasploit of Rapid7". Available: https://www.metasploit.com/

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.