debug enviorment: Windows10 + rpc viewer + IDA pro

what is ALPC

ALPC(Advanced Local Procedure Call) is an internal, undocumented inter-process communication facility provided by the Microsoft Windows NT kernel for lightweight IPC between processes on the same computer.

ALPC is called in the following situation:

1.when using the Microsoft RPC API to communicate locally, i.e. between the processes on the same machine

2.by calling Windows APIs that are implemented with ALPC

Actually I'm do not know any about the detail of #2 , so let's just talk about RPC API to communicate locally

vulnerability analysis

CVE-2018-8440 is a LPE vulnerability in windows task ALPC , attacker could create a hardlink to the file he want to gain access , then a function in schedsvc.dll could be abused to set DACL(Discretionary Access Control List) of this hardlink.

DACL setting on the hardlink leads to a same operation on the target file , attacker could rewrite an auto-run exe or dll , then gain administrator priviledge.

Let's see how we could discover it in an easier way

open rpc reviewer , see interfaces in system

pic1

then the function name is shown on the right.

we use IDA pro to anlysis schedsvc.dll , find what SchRpcSetSecurity function do.

pic2

the function receive 3 parameters , then call RpcServer::SetSecurity

pic3

we could see that parameter 1 is used as a filename points to C:\windows\tasks\ , the extension name is .job , then parameter 2 is a SDDL string , which used to describe DACL. it was transfromed to SecurityDescriptor by function ConvertStringSecurityDescriptorToSecurityDescriptor.

ok , the problem is clear , we could create a hardlink with .job extension , then use SchRpcSetSecurity function to set DACL.

the exploit template could be found in jamesforshow's historical report , what you need to do is transform the interface to .idl file , rpc viewer could help you do this.

pic4

so finally we call SchRpcSetSecurity("hardlink","sddl_string",0) , everything is done.

reference

https://sandboxescaper.blogspot.com/2018/10/reversing-alpc-where-are-your-windows.html