Voidtools Everything Service - DLL hijacking and Potential Abuses (CVE-2020-24567)

August 20th, 2020: Tamir Vered and Eran Shisel

Introduction

Cymaera discovered a new vulnerability in voidtools' Everything service for Windows.

Hereafter we describe the vulnerability found in voidtools Everything service. Then, we describe how an attacker could take advantage of this vulnerability to achieve privilege escalation, persistence and possible whitelist bypass by using the technique of implanting an arbitrary unsigned dynamic link library which is executed by a signed service that runs as NT AUTHORITY\SYSTEM.

Everything service

The voidtools Everything application is a fast search utility alternative to the Windows search feature. To achieve its search speed performence, Everything indexes all fixed NTFS/ReFS volumes [1], which requires administrator privileges.

In order to enable high privileged execution without forcing the user to run Everything as administrator everytime and popup a UAC dialog, Everything has an optional (though default) feature of installing a service which is executed with NT AUTHORITY\SYSTEM privileges on startup.

Vulnerability

Discovery

We initially targeted the Everything service because of the following reasons:

  • It is executed with NT AUTHORITY\SYSTEM privileges, which is a typical target when looking for a privilege escalation vulnerability since it may be very useful for a potential attacker.
  • The installed service has the same executable as the Everything app itself, which may be installed in a low privileged directory.
  • It is signed, which means that malicious code executed on behalf of the service may bypass whitelists that include the Everything executable.

We begin by inspecting the Everything service file system and registry activity and observe the following behaviour on process startup:


As we can see, an unsigned DLL named urlmon.dll is loaded from C:\Windows\System32 after the process attempts to find it in the Everything installation directory first. Implementing our own DLL named urlmon.dll and placing it in Everything's installation directory will allow an attacker to hijack the original DLL.

Proof of Concept

In order to not harm the functionality of the service, we are willing to forward all calls to our "urlmon.dll", to the original urlmon.dll.

After realizing that this dependency is indirect, we look for all of the statically known usages of urlmon.dll by Everything.exe:


We see that the only required function is CopySgtMedium, and compile a DLL which exports a function with the same signature. Our DLL forwards each call to CopySgtMedium to the original urlmon.dll, and additionally, we write the path to the current executable, along with the name of the user to which this process belongs, to a text file in C:\Windows\System32.

and place it in Everything's installation directory:


Now when the Everything service starts, a file named test.txt is created in C:\Windows\System32 with the following content:

C:\Windows\System32\Everything.exe - System

This shows us that our "malicious" code was indeed executed in the context of the Everything service with system privileges.

Potential Implications

Privilege Escalation

By taking advantage of this vulnerability, an attacker authorized to write in the Everything's installation directory, which may be accessible to any low privileged user, may execute code in NT AUTHORITY\SYSTEM privileges.

Whitelist Bypass

An attacker taking advantage of this vulnerability may evade whitelisting mechanisms since it allows his elevated code to be executed on behalf of the signed service, which is considered legitimate.

Persistence

The attacker's code execution is persistent across system reboots, due to the fact that the Everything service is started automatically at system startup, and the malicious code will be loaded with it, as long as his DLL remains in the installation directory.

Affected Versions

All Everything versions prior to 1.4.1.990 that include the Everything service feature.

Timeline

16/08/2020: Vulnerability found by Cymaera.

17/08/2020: Vulnerability reported to voidtools.

18/08/2020: Voidtools have confirmed the vulnerability.

18/08/2020: Voidtools have patched and disclosed the vulnerability [2].

20/08/2020: CVE ID was requested by Cymaera.

21/08/2020: CVE-2020-24567 was allocated by Mitre [3].

References

[1] https://www.voidtools.com/support/everything/indexes/#refs

[2] https://www.voidtools.com/forum/viewtopic.php?p=32509#p32509

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24567