/hex parameters) without resorting to the use of the WacomInstallI.txt file to pass parameters to
Remove.exe by passing it those parameters since probably, when Wacom will fix ZDI-CAN-16318,
WacomInstallI.txt will no longer be accessible by the regular user (or at least I hope... 🤞).
Remove.exe by passing it the
/custom parameter through
C:\Program Files\Tablet\Wacom\PrefUtil.exe, since here it's written that individual users can configure their own Wacom device settings using the Wacom Tablet Preference File Utility (
PrefUtil.exe however, instead of finding what I was looking for, I noticed some suspicious operations and I decided to call off the search to analyze them in detail; their analysis led me to discover the vulnerability I'm about to describe.
Remove.exe by passing it the
/hex parameter) 🙁
PrefUtil.exe, I noticed (using Process Monitor) that, by pressing the "Package logs" button, the
C:\Wacom\Logs folders are created and the files indicated in the image below are copied into them.
C:\Wacom\Logs folder are log files used for diagnostic purposes, and there would be nothing wrong with these operations if it weren't for these two facts:
WTabletServicePro.exe service which is running under the context of SYSTEM.
WTabletServicePro.exe service without impersonating the regular user,
WacomTouch.xml.txt are the most interesting because they're nothing more than the respective copy of
%AppData%\WTablet\WacomTouch.xml with the addition of the .txt extension, as you can see from the image below.
%AppData%\WTablet folder and all the files it contains, he can replace one of these files (I chose
%AppData%\WTablet\WacomTouch.xml) with another one of his choice before clicking on the "Package logs" button and, as a consequence, the file chosen by the regular user will be copied by
WTabletServicePro.exe to the
WTabletServicePro.exe, forcing it to copy a file of our choice wherever we want, thus obtaining an Arbitrary File Write primitive ✔️
WTabletServicePro.exe to an already existing file, that file will be overwritten (otherwise it will be created).
PrefUtil.exe to trigger the "Package logs" function but, obviously, I didn't find anything useful because, by pressing the button,
PrefUtil.exe doesn't need to call itself with a special parameter as it can directly call its "Package logs" function 🤦
PrefUtil.exe modules via x64dbg (as I did here) hoping to find the right parameter, and I was lucky because I found a reference to the
C:\Program Files\Tablet\Wacom\PrefUtil.exe /package-logs
Wacom_Tablet.exe, during the restore operation, tries to load (under the context of SYSTEM) the missing
FTD2XX.dll dll following the Dynamic-Link Library search order, as you can see from the image below.
Wacom_Tablet.exe, discovering (in the same way I discovered
PrefUtil.exe accepts the
/remove parameter and, if run with that, triggers
Wacom_Tablet.exe (many other operations are also performed, but their description is beyond the scope of this report) which, as shown in the previous image, tries to load the missing
FTD2XX.dll through the Phantom DLL hijacking technique (which is only one of the various DLL Hijacking techniques) by performing the following simple steps:
FTD2XX.dll which, once loaded, opens the Windows Command Prompt.
PrefUtil.exe to copy the DLL into one of the folders where
Wacom_Tablet.exe looks for it (I chose
Wacom_Tablet.exe to load the malicious
C:\Program Files\Tablet\Wacom\PrefUtil.exe /remove.
FTD2XX.dll using the following C++ code:
Wacom_Tablet.exe doesn't use signed DLLs or particular DLL hijacking prevention techniques.
Installer.dat file to run an arbitrary program but, in this case, everything is much easier because we can exploit an Arbitrary File Write primitive (and not an Arbitrary File Write primitive with partial control over the content of the file written\overwritten).
Installer.dat with another identical file to which the following line has been added:
"C:\Program Files\Tablet\Wacom\PrefUtil.exe" /restore "C:\...\Backup.wacomprefs" /silent to force Remove.exe to execute the
UpdateRouterFilter command which, consequently, will execute a command prompt window under the context of SYSTEM.
Installer.dat we can directly overwrite (exploiting the Arbitrary File Write primitive previously described)
Remove.exe with a simple executable which, once started, will execute a command prompt window, like this one:
"C:\Program Files\Tablet\Wacom\PrefUtil.exe" /restore "C:\...\Backup.wacomprefs" /silent to force Wacom_Tablet.exe (which runs under the context of SYSTEM) to execute
Remove.exe which, consequently, will execute a command prompt window under the same context.
Remove.exe to carry out all the operations it has to perform once started (since we have replaced it), while the previous technique is not affected by this problem because it simply forces
Remove.exe to perform one more operation (the execution of the command prompt window) than the ones it has to execute normally.
C:\Wacom folder exists, delete it and re-create it; create it otherwise.
C:\Wacom\Logs mount point to
\RPC Control\WacomTouch.xml.txt symbolic link to
PrefUtil.exe starts to package the logs into
WTabletServicePro.exe, running under the context of SYSTEM, tries to copy
C:\Wacom\Logs\WacomTouch.xml.txt without impersonating the current user.
C:\Wacom\Logs is a mount point to
WTabletServicePro.exe tries to copy
\RPC Control\WacomTouch.xml.txt is a symbolic link to
%ProgramFiles%\Tablet\Wacom folder and names it
C:\Program Files\Tablet\Wacom\PrefUtil.exe /silent /remove.
PrefUtil.exe performs several operations and
Wacom_Tablet.exe is triggered.
Wacom_Tablet.exe performs several operations and tries to load the
FTD2XX.dll now exists (point 5.4), it's loaded into memory and executed (without any checks).
FTD2XX.dll is programmed to execute a command prompt window and, since it's loaded from
Wacom_Tablet.exe (which runs under the context of SYSTEM), the command prompt will also run under the same context, allowing us to escalate our privileges 🎉
CreateSymlink.exe are programs developed by James Forshaw and are downloadable from his symboliclink-testing-tools repository, respectively here and here.
C:\Wacom folder (and its sub-folders) on the
C:\ drive and, more generally, in a location to which the regular user has full access (pay attention! As I explained here, also the
C:\Windows\Temp folder isn't a good candidate, although the regular user doesn't have full access to it).
Logs folder in
%ProgramFiles%\Tablet\Wacom\, where the regular user can't write to and, consequently, can't perform the previously described attack. In fact, in this case,
WTabletServicePro.exe can't be redirected while copying
%ProgramFiles%\Tablet\Wacom\Logs\WacomTouch.xml.txt because the regular user can no longer create the
%ProgramFiles%\Tablet\Wacom\Logs mount point since he doesn't have write access on the
WTabletServicePro.exe to impersonate the current user while copying
WTabletServicePro.exe will be redirected to the
%ProgramFiles%\Tablet\Wacom folder, and will try to copy the malicious
FTD2XX.dll into it, it will fail because, impersonating the user, it won't have the necessary rights to write the malicious file.