This blog post highlights bugs found in installed software while doing vulnerability research. The process for this publication is aligned with the Improsec Responsible Disclosure Policy.
CVE registered
CVE: CVE-2020-12431
What is Splashtop Streamer
Splashtop Streamer is a remote desktop application that allows users to share their desktop and remotely control workstations. The affected component is the Splashtop Updater that is bundled with Splashtop Streamer, as well as certain other Splashtop products.
Timeline
13/2-2020 Improsec identified the vulnerability.
21/2-2020 Contact to Splashtop reached, a vulnerability disclosed to the software vendor.
24/2-2020 The software vendor acknowledged the vulnerability report.
13/3-2020 Software vendor releases an internal software update for testing.
19/3-2020 Improsec reviewed the update and acknowledge that the vulnerability was fixed.
6/4-2020 Improsec contacts vendor again about another vulnerability in the same update function.
7/4-2020 The software vendor acknowledged the vulnerability report.
14/4-2020 Software vendor releases an internal software update for testing.
15/4-2020 Improsec reviewed the update and acknowledge that the vulnerability was fixed.
25/4-2020 Software vendor releases patched software packages.
19/5-2020 Public disclosure of the vulnerability.
We want to thank Splashtop Inc. for an effective and professional response.
Walkthrough
Using SysInternals AccessEnum showed that all members of the group "Users" had read and write access to "C:\ProgramData\Splashtop".
Various Splashtop products come bundled with a "Splashtop Updater" package. This package deploys various files, amongst these an executable[sits in taskbar tray] and another executable, "SSUService.exe" that runs as a service in the context of "NT Authority/System".
Performing a manual update from the tray-application would call SRUpdate.exe that would call SSUService.exe through a named pipe and start an update process.
Monitoring the update process with ProcMon showed, that the service executable read an INI-file from "C:\ProgramData\Splashtop\Splashtop Software Updater\Tracking\".
Loading the service executable into Ghidra and searching for functions that load INI-files showed the below function[here manually renamed to "parse_ini"]. The function showed the different possible variables that could be set in the INI-file, amongst these "Platform" which would be set as a filename used to name a logfile.
To test the function I created an INI-file with the "Platform" variable set.
Calling the update function showed that a CSV-file would be created if not already existing. The file would be created in the same directory as the INI-file and would have Platform_ appended to the beginning of the defined filename.
After the CSV-file had been created, SetSecurityFile was called to set read and write rights to Anyone for the file.
Setting the "Platform"-variable with a path traversing filename showed, that it was possible to write the CSV-file to any place on the file system. This would also bypass the added Platform_ to the filename.
While running the update function the "SRUpdate.exe" executable, which ran in the context of "NT Authority/System", would try to load several non-existing DLL-files from the directory "C:\Program Files[x86]\Splasthop\Splashtop Remote\Server\". Amongst these were the DLL-file called "SRUpdateENU.dll".
Since the "SSUService.exe" service, when creating new logfiles, would append a ".csv" to the defined "Platform"-variable and since parent directory rights prevented me from just renaming my CSV-file into f.x. "SRUpdateENU.dll", I had to find a way to prevent the application from appending ".csv" to the filename.
To do this I used the Alternative Data Streams[ADS] function in NTFS. When defining a filename parted with a colon, the last part will be used for the alternative Data Streams. By setting the "Platform"-variable to f.x. "TEST:" the CreateFile-function would automatically append ".csv" as an ADS and TEST would be the full filename.
Using this technique allowed me to write an empty file to "C:\Program Files[x86]\Splasthop\Splashtop Remote\Server\SRUpdateENU.dll". Every user on the system would be able to write new data to the file.
Compiling a malicious DLL-file which would execute a reverse shell.
Using "type" to write the content of my malicious DLL-file into the empty "SRUpdateENU.dll", and thereafter calling the update function.
This would execute my reverse shell as "NT Authority/System" and a privilege escalation would be achieved.
Splashtop Software Updater 1.5.6.16 was released which fixes this problem.
Further research into another privilege escalation vulnerability
I did some further research into the Splashtop Update mechanism after the above vulnerability had been patched. I found that the two programs SRUpdate.exe and SSUServer.exe, were communicating via the already mentioned named pipe called SSU_IPC_NAMED_PIPE_0 created by SSUServer.exe. When an update call was executed SRUpdate.exe would connect to the named pipe and send a 560 bytes long payload. This payload contains the filename of the file that SSUServer.exe creates in C:\ProgramData\Splashtop\Splashtop Software Updater\Tracking\. The filename is appended the file extension .ini by SSUServer.exe.
Wiretapping the named pipe with ioNinja showed the payload sent upon an update call from SRUpdate.exe to SSUServer.exe.
Checking permissions on the named pipe showed that all users were allowed to read/write to the pipe.
When the .ini-file had been created and written to, a call to SetSecurityFile was performed to set the permissions for the file to READ/WRITE for all users.
By sending a custom payload which performed directory traversal to directories[and perform the trick described in the first part of the write-up] and write .ini to Alternative Data Streams, the SSUServer.exe program was forced into writing data to the directorys ADS and set the permissions for the directory to READ/WRITE for all users. Afterwards a malicious DLL-file like the above SRUpdateENU.dll could be placed in the now writable directory and executed as NT Authority/System.
Payload data sent from exploit to named pipe.
Permissions on C:\Program Files [x86]\Splashtop\Splashtop Remote\Server was set to READ/WRITE for everyone. Thereby giving the possibility to perform privileged escalation with DLL-hijacking.
Proof-of-concept exploits to perform privileged escalation. main.dll copied to SRUpdateENU.dll executes a reverse shell.
Splashtop Streamer version 3.3.8.0 comes bundled with Splashtop Updater that fixes this vulnerability.