Privilege Escalation
- Cylance Inc.
CylancePROTECT versions prior to 1470
The CylancePROTECT update service gives Users Modify permissions on the log folder, as well as any log file it writes. This allows any user to empty the folder and use it as a Mount Point, which can be combined with a Symbolic Link to create an arbitrary file with Modify permissions when a new log file is created.
Cylance has released an update (1470) that addresses the privilege escalation vulnerability. Customers receiving automatic updates are already protected. Otherwise, updating to the latest version of CylancePROTECT will mitigate this issue.
This vulnerability was found by Ryan Hanson of Atredis Partners
- https://www.atredis.com/blog/cylance-privilege-escalation-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2018-10722
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2018-0003.md
- 2017-12-13: Atredis Partners sent an initial notification to Cylance
- 2017-12-14: Atredis Partners submits advisory and PoC to Cylance through Bugcrowd
- 2017-12-14: Cylance confirms receipt of advisory
- 2017-12-18: Cylance confirms the issue has been validated
- 2018-01-23: Atredis Partners asks Cylance for a status update
- 2018-01-23: Cylance indicates release was delayed and will provide release date when available
- 2018-01-26: Cylance notifies Atredis the 1470 release started its rollout
- 2018-01-28: Cylance awarded Ryan Hanson with $1,500 bounty on Bugcrowd
- 2018-02-02: Atredis Partners confirms the vulnerability has been fixed
- 2018-02-20: Atredis Partners requests coordinated disclosure
- 2018-04-04: Cylance and Atredis Partners arranged disclosure through blog post
- 2018-05-01: Atredis Partners plans to publish advisory ATREDIS-2018-0003
To reproduce the vulnerability the user would first empty the log folder and then create the following mount point and symbolic link structure to create a DLL in the Cylance installation folder:
- The
C:\Program Files\Cylance\Desktop\log
folder points to the\RPC Control\
object directory. - The
\RPC Control\2017-12-14.log
symlink points to\??\C:\Program Files\Cylance\Desktop\libc.dll
To trigger the vulnerability, the CylanceUI.exe IPC channel is used to communicate with the CylanceSvc to set the logging level and check for update. Upon triggering an update, CyUpdate.exe is started and attempts to write to the log file C:\Program Files\Cylance\Desktop\log\2017-12-14.log
. With the log folder mount point in place, the path resolves to \RPC Control\2017-12-14.log
, which points to \??\C:\Program Files\Cylance\Desktop\libc.dll
. The end result is a DLL created with modify permissions granted to all Users, allowing for it to be overwritten with a malicious DLL. It should be noted that any file can be created in any folder, this is not limited to the Cylance folder.
By combining the arbitrary file write with a DLL side-load in the CyUpdate.exe process, privileges can be escalated to SYSTEM. Upon startup, the CyUpdate process attempts to find a missing libc.dll in the Cylance folder. If libc.dll is found, the CyUpdate process loads it and triggers code execution. Since CyUpdate.exe is signed by Cylance and running as SYSTEM, it is permitted to communicate directly with the CYDETECT driver. By sending the ENABLE_STOP IOCTL code, the malicious DLL can gain the ability to stop the CylanceSvc.