Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems
In a recent engagement I was confronted with a blind path traversal vulnerability on a server running with the Microsoft Windows operating system. That is, it was not possible to display folder contents but the complete file name and path had to be guessed. Due to the lack of a comprehensive website I was forced to gather information from various different sources.
In this blog post, I want to summarize my findings and focus on the exploitation of this kind of vulnerability.
Admittedly, vanilla path traversal vulnerabilities have become somewhat rare and Microsoft Windows as a server operating system is also more of an exception than the rule. However, in an XXE scenario, you may encounter a similar situation.
Also, this post will not shed light on the detection of this vulnerability - which is an art in itself and has already been thoroughly documented. In a nutshell, the key to the successful detection is to guess the correct path of a world-readable file (with the correct encoding).
Identifying vulnerable Applications
On Microsoft Windows, the following files are good choices since they are present in almost every version:
c:\windows\system.inic:\windows\win.ini
Assuming you have successfully identified a path traversal vulnerability, the only question is how further it can be escalated. The major obstacle is that you usually have to know in advance the exact location of the files you want to read. As opposed to *nix-based operating systems, the locations can differ significantly from one Windows installation to another. For instance, the main system drive letter may not be C: or the user name may differ from the standard Administrator.
First and foremost, we have to recall a few key characteristics of Windows operating systems:
- Files and directories are handled case-insensitive: From an attacker perspective, our life will be easier since we only have to probe one variation of a given location. For example it suffices to test for
../../windows/win.iniinstead of attempting also../../WINDOWS/win.ini. - Forward and backward slashes can most of the times be used interchangeably; e.g.,
../..\../windows/win.iniis a valid file path in Windows.
Determining the Privilege Level of the reading Process
In order to assess the severity of a path traversal bug, you should determine the privilege level of the process that peforms the file retrieval. From an attacker perspective, the process should ideally run with elevated privileges, i.e. by LocalSystem (= root equivalent) or by a member of the Administrators group.
If you can successfully retrieve one of the following files, you are at least a member of the Administrators group:
c:/documents and settings/administrator/ntuser.inic:/documents and settings/administrator/desktop/desktop.inic:/users/administrator/desktop/desktop.inic:/users/administrator/ntuser.ini
As already mentioned, there is a catch to this approach - there might be no such user account. In this case, you have to guess the name of an administrator account.
In contrast, the following files should be available on all modern Windows operating systems and are independent from the set up:
c:/system volume information/wpsettings.datC:/Windows/CSC/v2.0.6/pqC:/Windows/CSC/v2.0.6/smC:/$Recycle.Bin/S-1-5-18/desktop.ini
If you can read either of these files, the file reading process has LocalSystem privileges.
Determining the Windows Version
Moreover, you should determine the exact version of Microsoft Windows. On Linux this is again far more simple, since we can read files such as the following:
/etc/issue/etc/*release/proc/version
Up until Windows 10, there is a similar file also containing version information, namely at
c:/windows/system32/license.rtf
It is also present on Windows 10, but it does not contain version information (which can also be used as a blind indicator).
The best way is, however, to retrieve a Microsoft-compiled executable from the target system and analyze the included version information in the file properties tab. Possible candidates are:
c:/windows/explorer.exec:/windows/notepad.exec:/windows/system32/ntoskrnl.exe
Afterwards, you can consulting the following table for looking up the corresponding operating system version:
10.0 = Windows 10 / Windows Server 20166.3 = Windows 8.1 / Windows Server 2012 R26.2 = Windows 8 / Windows Server 20126.1 = Windows 7 / Windows Server 2008 R26.0 = Windows Vista / Windows Server 20085.2 = Windows XP 64 Bit / Windows Server 20035.1 = Windows XP5.0 = Windows 20004.0 = Windows NT 4
Instead of the file properties tab, you can also use the peinfo package for Python to analyze the version number as follows:
Finetuning
To exploit the full potential of the path traversal vulnerability, you will likely have to perform an educated brute-force or dictionary attack, as the interesting files are technology-dependent.
The following list may be helpful as a first step and I would appreciate any additions or comments to this list:
https://github.com/soffensive/windowsblindread
References and follow-up links:
Web Application Hacker’s Handbook, 2nd Edition
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
https://github.com/mubix/post-exploitation-wiki/blob/master/windows/files.md
http://pwnwiki.io/#!presence/windows/blind.md
https://blog.netspi.com/smb-attacks-through-directory-traversal/
https://digi.ninja/blog/when_all_you_can_do_is_read.php
https://superuser.com/questions/363018/how-do-i-tell-what-version-and-edition-of-windows-is-on-the-filesystem
https://docs.microsoft.com/en-us/windows/desktop/sysinfo/operating-system-version
https://docs.microsoft.com/en-us/windows/desktop/api/verrsrc/ns-verrsrc-tagvs_fixedfileinfo
https://stackoverflow.com/questions/1264472/using-the-pefile-py-to-get-file-exe-version