How to find LPE in windows ALPC (CVE-2018-8440 analysis)
debug enviorment: Windows10 + rpc viewer + IDA pro
what is ALPC
ALPC(Advanced Local Procedure Call) is an internal, undocumented inter-process communication facility provided by the Microsoft Windows NT kernel for lightweight IPC between processes on the same computer.
ALPC is called in the following situation:
1.when using the Microsoft RPC API to communicate locally, i.e. between the processes on the same machine
2.by calling Windows APIs that are implemented with ALPC
Actually I'm do not know any about the detail of #2 , so let's just talk about RPC API to communicate locally
CVE-2018-8440 is a LPE vulnerability in windows task ALPC , attacker could create a hardlink to the file he want to gain access , then a function in schedsvc.dll could be abused to set DACL(Discretionary Access Control List) of this hardlink.
DACL setting on the hardlink leads to a same operation on the target file , attacker could rewrite an auto-run exe or dll , then gain administrator priviledge.
Let's see how we could discover it in an easier way
open rpc reviewer , see interfaces in system
then the function name is shown on the right.
we use IDA pro to anlysis schedsvc.dll , find what SchRpcSetSecurity function do.
the function receive 3 parameters , then call RpcServer::SetSecurity
we could see that parameter 1 is used as a filename points to C:\windows\tasks\ , the extension name is .job , then parameter 2 is a SDDL string , which used to describe DACL. it was transfromed to SecurityDescriptor by function ConvertStringSecurityDescriptorToSecurityDescriptor.
ok , the problem is clear , we could create a hardlink with .job extension , then use SchRpcSetSecurity function to set DACL.
the exploit template could be found in jamesforshow's historical report , what you need to do is transform the interface to .idl file , rpc viewer could help you do this.
so finally we call SchRpcSetSecurity("hardlink","sddl_string",0) , everything is done.