My Journey to learn and write and exploit for CVE-2019-19470

6 minute read

Looking for Spanish? > Español aquí

Hello! I will try to tell you my story about how I reproduced the CVE-2019-19470, it will be both a personal learning and some technical examples, but it is not intended to be a tutorial, if you want a more technical review, you can read the original publication.

All credits for this PoC goes to @frycos & @codewhitesec for discovering the bug and their write up.

Let’s start…

This is how I started… One day on Twitter I was looking for things related to “simple” privilege escalation errors and I found this James Forshaw tweet, which was commenting on a privilege escalation posted by @frycos from @codewhitesec blog post and I decided to read it.

After reading the article, I had some ideas on how some things work and I was familiar with most of the shared content. The best part of this article is that they didn’t publish the PoC, so I decided to replicate it and create my own proof of concept.

CVE Summary

To give you an idea about this vulnerability, basically Tyniwall.exe is a firewall application that runs as SYSTEM, it has a Namedpipe interface that is intended to communicate only with the Tyniwall process, the error occurs due to a deserialization attack, where it is possible to serialize a command and send it through Namedpipe by falsifying the name of the process to obtain the execution of the command as SYSTEM.

The process to replicate the exploit.

I read the article several times and decided to work each piece separately. I will mention each of them and explain the approach I took to learn how they work.

Note: The order of this blog is not necessarily the order in which I did things, or how I learned, in practice it was a mess, I started with Namedpipes, but when some things didn’t work, I jumped to dnSpy, returned to Namedpipes, read and investigate PEB and deserialization, etc. It was a messy investigation, but I’ll try to tell you about my learning at each stage.

Namedpipes

I have some ideas of what a namedpipe is, maybe played a little with it, but I think I needed to read and research a little more, so my focus was to do 2 things:

  1. Read about Namedpipes, how they are, how they work and why people use it.
  2. Investigate errors related to Namedpipes, documents, videos, blogs, etc.

Basically, Namedpipes provide communication between processes, a process that acts as a server and another as a client. Click here more information.

After reading some articles, I created a basic server/client application in C# to see how it works. The application consist in a server with a file available and a client who connects to the server pipe, takes the file and copies it into a directory. The code is available here

namedpipes-file-transf

Understanding better how Namedpipe works and interprocess communication, I tried to replicate the same deserialization method used by Tinywall and execute code from one application (Namedpipe Server) to the other (Namedpipe Client) and I did it using the example provided by @frycos in the blog post to run a calculator. The code is also available here

namedpipes-pop-calc

Everything I’ve put so far seems super easy, but the truth it didn’t come easily, in this process, I read a lot and tried things that didn’t work, also download IO Ninja, a tool that allows you to sniff Namedpipes among other things, I discovered it while watching Gil Cohen’s videos discussing Namedpipe, and how to abuse it, you can see his talks Defcon and HIP17

Deserialization

The starting point for the research was ysoserial.net, it is a collection of utilities discovered in common .NET libraries that can, under the right conditions, explode .NET applications to perform insecure deserialization of objects.

While researching on deserialization, I watched 2 or 3 videos of Álvaro Muñoz @pwntester, author of ysoserial.net and read some of his investigations and bugs he found, I didn’t save all the links of what I read about him, but you can watch this video that I loved:

Attacking the deserialization of .NET - Álvaro Muñoz

Alvaro also added to his tool the TypeConfuseDelegate utility of James Forshaw tyraniddo, which is like the father of privilege escalation because some of his research and tools have opened Doors to more researchers to find bugs based on his work! Thank you for your amazing research, books, videos, etc.

Ysoserial.net, as Álvaro mentions, was inspired by Chris Frohoff’s ysoserial project, the java version. If you wanted to understand a little better how to use it before continuing, you can see how I use it to exploit Arkham of HTB.

dnSpy

dnSpy allows us to decompile .NET code and extract the source code, even set breakpoints, modify variables in real time, etc., a really amazing tool dnsSpy.

@frycos notes in the post: “Now, we created a malicious object with ysoserial.NET and Forshaw’s TypeConfuseDelegate gadget to pop a calc process. In the debugger, we use System.Convert.FromBase64String(“…”) as expression to replace the current value”

My point here was the following, I understand what this function (System.Convert.FromBase64String) does, but how can I use that in dnSpy? I laughed out loud when I discovered what I need to do, basically it was to copy and paste the text as he mentioned and dnSpy will do the rest, you’ll see the gif so you can understand what I’m talking about: D

“Who doesn’t know is like who doesn’t see”.

dnSpy-base64

PEB - Process environment block

The final part of the equation was the PEB. The PEB is a data structure that applications can use to obtain information about a process, such as the list of loaded modules, startup arguments, image address, command line values, etc.

WinDbg is a tool you can use to inspect the PEB, for example. I used WinDbg before to try to understand topics like AMSI, Process Hollowing, etc., at least I had an idea of how to use it. At this point, my approach was to understand how to modify the PEB manually and then do it programmatically, so I installed WinDbg and followed the publication of @spotless on how to do it, you can find it here

windbg

Code C# to modify the PEB

After I finished understanding what I had to do with the PEB, it was necessary to automate the process in C #, fortunately, I didn’t find any C # code that did PEB manipulation, the only reference I had was the @FuzzySec PowerShell script that mentions @frycos in the article Masquerade-PEB.ps1.

My first idea was to find a way to convert the code to C#, look for some tools, guides and so on, but I couldn’t do it, I tried to simplify the replication process, but for my luck I couldn’t. Looking at the Masquerade-PEB code, I found it very complex to replicate, but I tried anyway and I could say that of everything I did, this was the part I enjoyed the most and the one I learned the most.

The beauty of this replication process is that it helped me to better understand how everything works, the classes, the API calls, the calculations to obtain the locations of the PEB parameters, everything started to make sense as I went along and then From some tests and errors, reading here and there, I was able to create my own version of Masquerade-PEB in C #

modify-peb

success-gif-9

Note: when I tweeted what I did, @Cn33liz pointed out that he did it 2 years ago with the project p0wnedShell he was also kind to point me to this link to help me understand how a piece of code works.

Exploit Execution

With all the pieces of the puzzle I just needed to put each one in its place, so I did it!

The PoC for CVE-2019-19470 can be found here

God bless you!

Serving Christ is not a task, but a relationship. Friends of God Jn 15: 15

Updated: