Wacom Driver Local Privilege Escalation Vulnerability

CVE-2023-32163 · ZDI-CAN-16857 (0-day)

Table of Contents 📜

Premise

How did I discover the vulnerability?

Analyzing suspicious operations of PrefUtil.exe

An Arbitrary File Write primitive can be useful

Oh?! Is FTD2XX.dll a phantom DLL?

Different ways to escalate our privileges

The Exploit

POC

How to fix the vulnerability

Vulnerability disclosure timeline

Final considerations

Premise

This article describes a vulnerability affecting Wacom Driver 6.3.46-1 and 6.3.45-1 (it probably affects older versions as well but I haven't tested them) and a way by which this vulnerability can be exploited for a Local Privilege Escalation.
Since I've already extensively detailed and discussed here a similar vulnerability, I highly recommend reading it to better understand what you’re going to read (also this and this reports can be helpful as well).

How did I discover the vulnerability?

The short answer is: by chance!
I was looking for a way to take advantage of this and this technique (via the respective `/custom` and `/hex` parameters) without resorting to the use of the WacomInstallI.txt file to pass parameters to `Remove.exe`.
I was essentially looking for another vulnerability that would allow me to trigger `Remove.exe` by passing it those parameters since probably, when Wacom will fix ZDI-CAN-16318, `WacomInstallI.txt` will no longer be accessible by the regular user (or at least I hope... 🤞).
I started looking for a way to trigger `Remove.exe` by passing it the `/custom` parameter through `C:\Program Files\Tablet\Wacom\PrefUtil.exe`, since here it's written that individual users can configure their own Wacom device settings using the Wacom Tablet Preference File Utility (`PrefUtil.exe`).
Playing a bit with `PrefUtil.exe` however, instead of finding what I was looking for, I noticed some suspicious operations and I decided to call off the search to analyze them in detail; their analysis led me to discover the vulnerability I'm about to describe.

PS Between one thing and another I no longer continued with the initial goal (to look for another vulnerability that allows to trigger `Remove.exe` by passing it the `/custom` and\or `/hex` parameter) 🙁
So, dear reader, do it yourself! Carrying out a responsible disclosure or, if you prefer, if you find any clues, report it to me via mail at luca.barile.research@gmail.com 📧

Analyzing suspicious operations of PrefUtil.exe 🔍

Playing a bit with the GUI of `PrefUtil.exe`, I noticed (using Process Monitor) that, by pressing the "Package logs" button, the `C:\Wacom` and `C:\Wacom\Logs` folders are created and the files indicated in the image below are copied into them.

Behavior of Package logs button

As the GroupBox itself says, the files written in the `C:\Wacom\Logs` folder are log files used for diagnostic purposes, and there would be nothing wrong with these operations if it weren't for these two facts:

Some of these files are written without impersonating the regular user by the `WTabletServicePro.exe` service which is running under the context of SYSTEM.

The regular user has full access to the `C:\Wacom` and `C:\Wacom\Logs` folders.

Probably, if you have read this and this report, by now you will have understood that when these two situations occur, the link following attack is the first thing that comes to mind and, even in this case, it can be applied in a similar way to what has been done here and here.
In this case, however, I don't want to settle for an Arbitrary File Read\Write primitive (as shown in the two examples just linked); my goal is to find a way for a Local Privilege Escalation ❗

An Arbitrary File Write primitive can be useful 😁

Among the various files written by the `WTabletServicePro.exe` service without impersonating the regular user, `Wacom_Tablet.bak.txt`, `Wacom_Tablet.dat.txt` and `WacomTouch.xml.txt` are the most interesting because they're nothing more than the respective copy of `%AppData%\WTablet\Wacom_Tablet.bak`, `%AppData%\WTablet\Wacom_Tablet.dat` and `%AppData%\WTablet\WacomTouch.xml` with the addition of the .txt extension, as you can see from the image below.

$WTabletServicePro.exe is copying files from the folder %AppData%\WTablet$

Since the regular user has full access to the `%AppData%\WTablet` folder and all the files it contains, he can replace one of these files (I chose `%AppData%\WTablet\WacomTouch.xml`) with another one of his choice before clicking on the "Package logs" button and, as a consequence, the file chosen by the regular user will be copied by `WTabletServicePro.exe` to the `C:\Wacom\Logs` folder.
Now, by combining a mount point with a symbolic link (just like I did here and here), we can redirect `WTabletServicePro.exe`, forcing it to copy a file of our choice wherever we want, thus obtaining an Arbitrary File Write primitive ✔️
Note: if we redirect `WTabletServicePro.exe` to an already existing file, that file will be overwritten (otherwise it will be created).

From an exploit development perspective, it would be more convenient to use the Arbitrary File Write primitive programmatically, without requiring the user to interact by pressing the "Package logs" button.
For this reason I used Process Monitor hoping to find the right parameter to pass to `PrefUtil.exe` to trigger the "Package logs" function but, obviously, I didn't find anything useful because, by pressing the button, `PrefUtil.exe` doesn't need to call itself with a special parameter as it can directly call its "Package logs" function 🤦
So I tried to analyze all the strings references of all the `PrefUtil.exe` modules via x64dbg (as I did here) hoping to find the right parameter, and I was lucky because I found a reference to the `/package-logs` parameter!
This means (and I tested it) that a generic process can trigger the "Package logs" function by calling `PrefUtil.exe` through `C:\Program Files\Tablet\Wacom\PrefUtil.exe /package-logs`

Ok... And how can we use the Arbitrary File Write primitive for a Local Privilege Escalation?

Oh?! Is FTD2XX.dll a phantom DLL? 👻

When I first started hunting for vulnerabilities in Wacom Driver 6.3.45-1, before discovering this vulnerability, I found out through Process Monitor that `Wacom_Tablet.exe`, during the restore operation, tries to load (under the context of SYSTEM) the missing `FTD2XX.dll` dll following the Dynamic-Link Library search order, as you can see from the image below.

Wacom_Tablet.exe tries to load the missing FTD2XX.dll

Remembering this fact, I tried to see if there was any relationship between `PrefUtil.exe` and `Wacom_Tablet.exe`, discovering (in the same way I discovered `/package-logs`) that `PrefUtil.exe` accepts the `/remove` parameter and, if run with that, triggers `Wacom_Tablet.exe` (many other operations are also performed, but their description is beyond the scope of this report) which, as shown in the previous image, tries to load the missing `FTD2XX.dll` dll.
Ok, as you are probably already guessing, the last thing we now have to do to escalate our privileges is to exploit the phantom DLL `FTD2XX.dll` through the Phantom DLL hijacking technique (which is only one of the various DLL Hijacking techniques) by performing the following simple steps:

Compile a simple malicious `FTD2XX.dll` which, once loaded, opens the Windows Command Prompt.

Using the Arbitrary File Write primitive previously described force `PrefUtil.exe` to copy the DLL into one of the folders where `Wacom_Tablet.exe` looks for it (I chose `C:\Program Files\Tablet\Wacom`).

Force `Wacom_Tablet.exe` to load the malicious `FTD2XX.dll` via `C:\Program Files\Tablet\Wacom\PrefUtil.exe /remove`.

I compiled the simple malicious `FTD2XX.dll` using the following C++ code:

FTD2XX.dll source code

In our case the Phantom DLL hijacking technique works because `Wacom_Tablet.exe` doesn't use signed DLLs or particular DLL hijacking prevention techniques.
Read this article if you want to learn more about some DLL hijacking prevention techniques.
Read this article of mine if you want to learn more about the DLL Hijacking using the DLL Proxying technique.

Different ways to escalate our privileges ↖️⬆️↗️

To escalate the privileges I decided to use the technique just described (which I will deepen in the next paragraph) to enhance the discovery of the phantom dll and to illustrate an alternative way to the one followed in ZDI-CAN-16318.
However, there are other ways to take advantage of the Arbitrary File Write primitive to escalate privileges and, among them, I want to describe the following two:

Overwrite `C:\Program Files\Tablet\Wacom\32\Installer.dat`
Similarly to what I did here we can abuse the `Installer.dat` file to run an arbitrary program but, in this case, everything is much easier because we can exploit an Arbitrary File Write primitive (and not an Arbitrary File Write primitive with partial control over the content of the file written\overwritten).
We can exploit the Arbitrary File Write primitive previously described to overwrite `Installer.dat` with another identical file to which the following line has been added:

At this point the regular user only needs to restore a backup of his Wacom device through `"C:\Program Files\Tablet\Wacom\PrefUtil.exe" /restore "C:\...\Backup.wacomprefs" /silent` to force Remove.exe to execute the `UpdateRouterFilter` command which, consequently, will execute a command prompt window under the context of SYSTEM.

Overwrite `C:\Program Files\Tablet\Wacom\32\Remove.exe`
Instead of overwriting `Installer.dat` we can directly overwrite (exploiting the Arbitrary File Write primitive previously described) `Remove.exe` with a simple executable which, once started, will execute a command prompt window, like this one:

At this point the regular user only needs to restore a backup of his Wacom device through `"C:\Program Files\Tablet\Wacom\PrefUtil.exe" /restore "C:\...\Backup.wacomprefs" /silent` to force Wacom_Tablet.exe (which runs under the context of SYSTEM) to execute `Remove.exe` which, consequently, will execute a command prompt window under the same context.
The negative side of this technique is to make it impossible for `Remove.exe` to carry out all the operations it has to perform once started (since we have replaced it), while the previous technique is not affected by this problem because it simply forces `Remove.exe` to perform one more operation (the execution of the command prompt window) than the ones it has to execute normally.

The Exploit ☠️

The exploit that I've implemented and that I'm going to describe is based on the previously described technique, and performs the following steps:

If the `C:\Wacom` folder exists, delete it and re-create it; create it otherwise.

Create the `C:\Wacom\Logs` mount point to `\RPC Control`.

Create the `\RPC Control\WacomTouch.xml.txt` symbolic link to `%ProgramFiles%\Tablet\Wacom\FTD2XX.dll`.

Copy the malicious `FTD2XX.dll` to `%AppData%\WTablet\WacomTouch.xml`.

Run `PrefUtil.exe` through `%ProgramFiles%\Tablet\Wacom\PrefUtil.exe /package-logs`.
The following operations are performed:

`PrefUtil.exe` starts to package the logs into `C:\Wacom\Logs`.

`WTabletServicePro.exe`, running under the context of SYSTEM, tries to copy `%AppData%\WTablet\WacomTouch.xml` to `C:\Wacom\Logs\WacomTouch.xml.txt` without impersonating the current user.

Since `C:\Wacom\Logs` is a mount point to `\RPC Control`, `WTabletServicePro.exe` tries to copy `%AppData%\WTablet\WacomTouch.xml` to `\RPC Control\WacomTouch.xml.txt`.

Since `\RPC Control\WacomTouch.xml.txt` is a symbolic link to `%ProgramFiles%\Tablet\Wacom\FTD2XX.dll`, `WTabletServicePro.exe` copies `%AppData%\WTablet\WacomTouch.xml` to `%ProgramFiles%\Tablet\Wacom` folder and names it `FTD2XX.dll`.

Run `PrefUtil.exe` through `C:\Program Files\Tablet\Wacom\PrefUtil.exe /silent /remove`.
The following operations are performed silently:

`PrefUtil.exe` performs several operations and `Wacom_Tablet.exe` is triggered.

`Wacom_Tablet.exe` performs several operations and tries to load the `%ProgramFiles%\Tablet\Wacom\FTD2XX.dll` dll.

Since `FTD2XX.dll` now exists (point 5.4), it's loaded into memory and executed (without any checks).

`FTD2XX.dll` is programmed to execute a command prompt window and, since it's loaded from `Wacom_Tablet.exe` (which runs under the context of SYSTEM), the command prompt will also run under the same context, allowing us to escalate our privileges 🎉

Here you can find the C# source code of my exploit (Visual Studio Project.zip).
Here you can find the executable file (Exploit.exe).

`CreateMountPoint.exe` and `CreateSymlink.exe` are programs developed by James Forshaw and are downloadable from his symboliclink-testing-tools repository, respectively here and here.

POC 🎦

I have tested the exploit only for Wacom Driver 6.3.45-1 but, most likely, it also works for the previous versions (and I hope not on the future ones 🙄).

Exploitation Proof Of Concept

How to fix the vulnerability 🚑

The root cause from which everything begins is `C:\Wacom\Logs`.
There may be several ways to solve the problem but, in my opinion, one of the best is to avoid creating the `C:\Wacom` folder (and its sub-folders) on the `C:\` drive and, more generally, in a location to which the regular user has full access (pay attention! As I explained here, also the `C:\Windows\Temp` folder isn't a good candidate, although the regular user doesn't have full access to it).

A solution would be, for example, to create the `Logs` folder in `%ProgramFiles%\Tablet\Wacom\`, where the regular user can't write to and, consequently, can't perform the previously described attack. In fact, in this case, `WTabletServicePro.exe` can't be redirected while copying `%AppData%\WTablet\WacomTouch.xml` to `%ProgramFiles%\Tablet\Wacom\Logs\WacomTouch.xml.txt` because the regular user can no longer create the `%ProgramFiles%\Tablet\Wacom\Logs` mount point since he doesn't have write access on the `%ProgramFiles%\Tablet\Wacom` folder.

Another idea is to force `WTabletServicePro.exe` to impersonate the current user while copying `%AppData%\WTablet\WacomTouch.xml` to `C:\Wacom\Logs\WacomTouch.xml.txt`.
By doing this, the link following attack will fail because when `WTabletServicePro.exe` will be redirected to the `%ProgramFiles%\Tablet\Wacom` folder, and will try to copy the malicious `FTD2XX.dll` into it, it will fail because, impersonating the user, it won't have the necessary rights to write the malicious file.

Vulnerability disclosure timeline 📅

First of all, I checked if the vendor has launched a bug bounty program but, unfortunately, Wacom Technology Corporation has none and the only page where you can report something (this), doesn't speak explicitly of any acknowledgement (neither meritocratically nor economically).
At this point I followed the MITRE researcher reservation guidelines and, since Wacom Technology Corporation isn't on the CNAs partner list, the only two remaining possibilities were to contact the CNA of Last Resort (CNA-LR) through the CVE Request web form or a third-party coordinator CNAs.
Since the CNA of Last Resort, as the word itself says, is the last resort (🏝️), I looked for a third-party CNA in the CNAs list and decided to contact the Zero Day Initiative CNA.
ZDI relieves you from the burden of tracking the bug with the vendor, could make a monetary offer to the researcher (CNA of Last Resort doesn't), follows a responsible vulnerability disclosure policy and has a loyalty program (CNA of Last Resort doesn't). You can learn more about their disclosure policy here.

2022-03-03 (GMT+1) - I casually discovered the vulnerability.

2022-03-04 (GMT-6) - I reported the vulnerability to ZDI (CASE OPENED).

2022-03-07 (GMT-6) - ZDI assigned the case (CASE ASSIGNED).

2022-03-30 (GMT+1) - I asked ZDI for an update.

2022-03-31 (GMT+1) - ZDI replied that they're currently experiencing high case volumes so I can expect several weeks for reply.

2022-04-05 (GMT-6) - ZDI investigated the case (CASE INVESTIGATED).

2022-04-12 (GMT+1) - ZDI told me that they ran into a problem when running the PoC (Wacom_Tablet.exe fails to load FTD2XX.dll).

2022-04-12 (GMT+1) - I provided to ZDI additional guidance to solve the problem.

2022-04-14 (GMT-6) - ZDI reopened the case and added it to the queue for review (CASE ASSIGNED).

2022-05-03 (GMT-6) - ZDI re-investigated the case following my additional guidance (CASE INVESTIGATED).

2022-05-09 (GMT+1) - ZDI has successfully reproduced my PoC and extended an offer for the rights to my vulnerability.

2022-05-09 (GMT+1) - I accepted the offer and sent them the requested data.

2022-06-03 (GMT+1) - I received the payment issued by ZDI.

2022-06-27 (GMT+1) - I asked ZDI for an update.

2022-06-27 (GMT+1) - ZDI replied that they've had a hard time disclosing this case to the vendor, but they're going to send them one more message informing them that they intend to 0-day the case if they don't receive a legitimate reply.

2022-07-13 (GMT-6) - The case has been officially contracted to the ZDI (CASE CONTRACTED).

2022-07-19 (GMT+1) - I asked ZDI for an update (no answer).

2022-07-28 (GMT-6) - ZDI reviewed the case (CASE REVIEWED).

2022-08-04 (GMT-6) - ZDI assigned the id ZDI-CAN-16857 to the vulnerability and submitted the details of this case to the vendor, giving it the deadline of 2022-12-02 for the fix (VENDOR DISCLOSURE).

2023-01-22 (GMT+1) - I asked ZDI for an update since the vulnerability deadline has passed but the advisory has not been published yet (no answare...).

2023-02-22 (GMT+1) - I asked ZDI for an update since the vulnerability deadline has passed but the advisory has not been published yet (no answare...).

2023-03-23 (GMT+1) - I informed ZDI that I decided to publish the exploit for the vulnerability by the end of April because of their delays (after more than a year since the vulnerability was reported, it still only appear on their "Upcoming" page and no CVE ID has been assigned) and lack of answers. In addition, I pointed out the fact that their behavior is not in accordance with their disclosure timelines (again, no answare...).

2023-04-03 (GMT+1) - I decided to make the exploits for this vulnerability (and related reports) public on my GitHub page and informed MITRE through CNA-LR.

2023-04-25 - MITRE replied that they will reach out to ZDI next regarding the issue.

2023-05-23 - MITRE told me that ZDI let them know they are planning to assign the CVE ID to my vulnerability and will be contacting me shortly with that.
Interestingly, ZDI didn't respond to my requests for updates for months but, after being prompted by MITRE, responded immediately 😒
It sounds something like: if they don't respond ask MITRE to tell them to respond 🤦

2023-05-24 - ZDI replied to my mail apologizing for the lack of response on their end. They also told me that the CVE-2023-32163 ID will soon be assigned to this vulnerability (ZDI-CAN-16857) and that they don’t blame me for posting the cases. Finally, they told me that they intend to publish this vulnerability as a zero-day advisory (due to the vendor's lack of response), and are working to get in a position where they can strictly hold to their disclosure policy in the future.

2023-05-26 - ZDI assigned the identifier CVE-2023-32163 to the vulnerability and published it here as a zero-day advisory with internal code ZDI-23-742.

2023-08-15 - Looking for the details of some vulnerabilities on the MITRE website, I also searched, out of curiosity, for those related to mine and, surprisingly, found that there was no description and the case was still marked as 'RESERVED'.

2023-08-16 - I informed MITRE of the lack of the vulnerability details from their official page asking for an explanation.

2023-08-17 - MITRE replied that the vulnerability falls under the scope of the Zero Day Initiative CNA (and so I have to turn to them). At this point I asked ZDI for an explanation.

2023-08-22 - ZDI replied that they have not committed that data to MITRE yet (no problem, it's only been a year and five months since I reported the vulnerability...). They also told me that they’ve been working on an internal CVE services tool, and that has delayed some of their publications for this year (but also for last year I would say 🤦); the team is working to get the data updated.

2023-09-06 - ZDI published the description of the vulnerability on the MITRE website (here) and in the National Vulnerability Database (here).

Well... After only one year and six months, the vulnerability has finally been published. I think it's not necessary to add any more comments on the questionable timing 😡

Final considerations

The conclusions are the same as I wrote in my main report; I report below, for convenience, the most interesting paragraphs.

How to fix the vulnerability 🚑

Conclusion

Useful readings and references 🔗

Since the concepts of symbolic link and mount point have already been introduced in this and this article, check out these references if you want to examine them in depth.
Here I just want to suggest some references related to the DLL hijacking, since it's the only new concept covered in this paper; these articles may be useful to those who know nothing (or little) about it:

Dynamic-Link Library search order - Microsoft 🔗

DLL Hijacking techniques - Clément Labro 🔗

Signed DLLs - Wikipedia 🔗

DLL hijacking prevention techniques - Microsoft 🔗

DLL Proxying technique - Luca Barile 🔗

And don't forget to read my report in which I explain how to exploit another vulnerability to get a Local Privilege Escalation!

If you liked this article, what do you think about buying me a unicorn? Yeees! I'll buy it for you! 🦄