Amazon Workspaces - Unquoted Search Path and Potential Abuses
SafeBreach Labs discovered a new vulnerability in Amazon HostedAgents HostedApplicationService which is deployed with Amazon’s Windows machines.
In this post, we describe the vulnerability we found in the Amazon HostedAgents HostedApplicationService.
We then demonstrate how this vulnerability could have been exploited by an attacker in order to achieve persistence, privilege escalation and in some cases defense evasion. The exploitation technique involves implanting an arbitrary unsigned executable which is executed during a post-exploitation phase by Amazon’s service that runs as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability, the attacker needs to have Administrator privileges.
Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution.
The service offers a cloud-based virtual desktop experience for end-users.
In our initial exploration of the software, we targeted the “Amazon HostedAgents HostedApplicationService” process
In our exploration, we found that after the “Amazon HostedAgents HostedApplicationService” was started, the Stxhd.HostAgents.HAService.exe process was executed as NT AUTHORITY\SYSTEM.
We noticed an interesting behavior once the service’s process was executed:
As can be seen multiple times, the process looked for a missing EXE file (C:\Program.exe) before it found and executed the real executable file (.exe).
In order to test this privilege escalation vulnerability, we compiled an EXE file (unsigned) which writes the following to the filename of a txt file:
Our arbitrary unsigned EXE file was executed as NT AUTHORITY\SYSTEM by a legitimate process which is signed by Amazo?.
Once the Stxhd.HostAgents.HAService.exe is executed, it tries to execute multiple executables which are listed in the Stxhd.HostAgents.HAService.exe.config file:
Three of these executables don’t have a “runAs” attribute, which means that they will be created as NT AUTHORITY\SYSTEM:
We can find the root cause of this vulnerability inside the implementation of the “LaunchProcessAsUser” method (which can be found in the “ProcessExtensions” class of the code):
Using the String.Format method, the program tries to concatenate the path of the executable with its arguments and pass it as the lpCommandLine parameter: “ ”.
The problem is that it doesn’t wrap the path of the executable with quotes (‘“” ’), so the CreateProcessAsUser function doesn’t know how to parse it properly.
According to the CreateProcessAsUser function documentation in MSDN, we will see the following:
The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous.
For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:
c:\program.exe c:\program files\sub.exe c:\program files\sub dir\program.exe c:\program files\sub dir\program name.exe
The root cause of this unquoted search path vulnerability happens because the command line doesn’t contain a quoted string between the path of the executable and the argument - so the CreateProcessAsUser function tries to split it by itself each time it parses a space character:
Below we show three possible ways that an attacker could have leveraged the vulnerability we discovered and documented above.
The vulnerability gives attackers the ability to execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious EXE file in one of the paths we mentioned earlier, the service will load the malicious code each time it is restarted. This way the malicious payload might not be detected by security products, because the service process which executes the attacker’s payload is signed, and executes it “natively.” No suspicious action is required by the attacker. The service just executes the malicious payload once the service is started.
The vulnerability provides an attacker with the ability to gain NT AUTHORITY\SYSTEM access as an Administrator.
Sep 22nd, 2019 - Vulnerability reported to Amazon
Sep 23th, 2019 - Initial response from Amazon
Sep 24th, 2019 - Amazon has confirmed the vulnerability
Oct 1st, 2019 - Amazon provided a timeline for patch deployment. They won’t issue a CVE because the environment is fully-controlled by them.
Oct 23rd, 2019 - Amazon has fixed the vulnerability.