Windows Lockscreen Elevation of Privilege Vulnerability - CVE-2020-1398
Those research were based on Jonas's findings related to bypassing lock screens (presentation). He described a flaw, which allowed lock screen bypass using the Ease of Access feature.
Looking at CVE-2020-1398, the bug existed in the sticky keys pop-up
By clicking the link, an instance of settings will be spawned in the background. Then you’ll be simply able to bypass the lock screen. Microsoft has patched the issue by removing the link as it no longer appears when being spawned in a lock screen environment.
Now, I'll try to give a short explanation for you humans. Cause if I showed the video PoC you will be confused as hell.
I have noticed a weird kind of behavior when typing a wrong password, a small arrow next to the email address will be visible.
Clicking there will take us to another page. As we can see that we’re allowed to login with another email address or even create a new account.
I tried to create a new account, login with it but it fails since the account doesn’t belong to the one we are trying to reset its password.
However, this small button right there attracted my attention and hmmm it's interesting
By clicking on it we’ll see another pop-up dialogue, that has a link on it.
Hmmm very interesting, a link ? in the lock screen? weird right. As usual, we’ll click on it and see what happen… clicking on it did absolutely nothing, BUT maybe something was spawned in the background and we can’t see it, as Jonas described in his lock screen bypass, he used to enable the narrator in order to navigate in background apps. I enabled the narrator and got some very interesting results.
When enabled and I click on the button, you can hear the narrator saying “how do you want to open this”, and the narrator’s focus is on something else not in Microsoft account window. We spawned an “Open With” window with the narrator’s focus on it in the background; Typically the “Open With” window looks like this
But only has two options the first is MS Edge and the second one is Internet Explorer, we’ll dig with MS Edge since it’s selected by default, please NOTE that you might HOLD Caps lock while using arrow keys to navigate.
After tests, as soon as we select OK we lose the narrator’s focus and we’re no longer able to control the background window.
We can have the narrator’s focus again as soon as we repeat the steps described above, we’ll have the narrator’s focus again. But this time we’ll have it on MS Edge browser, at this point, we will need to elevate our privileges, the only way I can think of to execute arbitrary commands is to spawn a settings instance. This can be done by spawning another new InPrivate window, (please NOTE: you won’t be able to see any of those, and things will be completely invisible you must use your ear to hear what the narrator say and use it to navigate);
Then you might need to go on “More details”
Press enter and navigate to settings
Which will redirect us to another page, keep navigating until you reach “Windows Diagnostic data setting” and then navigate using a narrator to open and click enter again
In settings navigate to “Home” and press enter
Then navigate to “Devices”
Navigate to Autoplay->Choose Autoplay Defaults->” Open folder to view files(File Explorer)
At this point, you might need to plug a USB device into the device. As soon as plugged narrator will have his focus on file explorer, now you can execute anything in the USB.
In order to verify our findings, I made a simple batch script that will verify our findings
mkdir c:\poc
whoami /all > c:\poc\whoami.log
And after the execution, we can observe a success
Elevating privileges is easy since we’re marked as “NT AUTHORITY\Authenticated Users” as the majority of EoPs are reachable from those privileges.
PoC - https://youtu.be/9rXXfWN0h6A
Post a Comment