MSDT is a Microsoft command binary that according to their Windows Commands Reference Page (reference below) "Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input."
Using Sysinternalsuite sigcheck.exe we can see that the command has the autoElevate setting set to true:
sigcheck.exe -m C:\Windows\System32\msdt.exe
This result means that UAC auto-elevation exists on this binary. Now although this is good news, upon research this tool does not auto-elevate on its own and must call a diagnostic package as noted above that requires admin privileges itself.
----------------------------------------------------------------------------------
Going further we see that the XML troubleshooting packages files that we need to call with MSDT are in the directory "C:\Windows\diagnostics\index" and if we run the command:
findstr /s /i /m "RequiresAdminPrivileges>True" C:\WINDOWS\diagnostics\index\*
then we see what troubleshooting packages require elevation themselves for this bypass to work.
----------------------------------------------------------------------------------
So using the syntax for the tool (Windows Commands Reference Page) we come up with the command:
c:\windows\syswow64\msdt.exe -path C:\WINDOWS\diagnostics\index\BluetoothDiagnostic.xml -skip yes
(the -skip yes command is to bypass the troubleshooting prompt and automatically start troubleshooting)
and the result is an elevated instance of msdt.exe being spawned!
 |
| msdt.exe elevated instance spawned |
----------------------------------------------------------------------------------
We also uncover that msdt.exe also spawns sdiagnhost.exe with elevated privs which searches for the file BluetoothDiagnosticUtil.dll. Using procmon filters we uncover that C:\Users\USER\AppData\Local\Microsoft\WindowsApps\BluetoothDiagnosticUtil.dll is one of the directories it searches for the file and it just so happens to result in 'NAME NOT FOUND'.
This is good for two reasons 1) This path is writeable for the user 2) this gives us elevated DLL loading with a Microsoft binary
 |
| missing DLL to hijack |
----------------------------------------------------------------------------------
Utilizing this technique we can successfully have our malicious DLL loaded by the sdiagnhost.exe process that is spawned with ELEVATED privileges from msdt.exe meaning our malicious file upon execution will now give us an elevated shell!!
LINKS:
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msdt - (Windows Commands Reference Page)
https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html
No comments:
Post a Comment