Windows 10: CULauncher exploit

Windows 10 exploit in CULauncher that allows EoP and persistence.

Summary

The CUAssistant component uses an unquoted search path that contains whitespace.

Description

This issue was discovered and tested on Windows 10 Pro on 1903 with every update installed. The affected component was not found on Windows 10 Home. No other Windows 10 versions were tested.

The CUAssistant component works together with the servicing engine to improve the reliability and security of Windows 10. The component was introduced in KB4480730 and more info can be found here: https://support.microsoft.com/en-us/help/4480730/windows-10-update-kb4480730.

The component is implemented by adding a scheduled task that automatically executes culauncher.exe every 23 hours or when an network connection is established. If we look at ‘C:\Program Files\CUAssistant\CUAssistantTask.xml’, we can see the details for this task and we notice that the path does not contain any quotes. If an attacker manages to place an executable called Program.exe in the main drive, the task scheduler will automatically execute this program as SYSTEM after some time.

Unquoted path in Task Scheduler
Figure 1: Unquoted path in Task Scheduler.

The default file permissions require administrator privileges to place a program in the root folder, so the vulnerability can only be used to elevate from administrator to SYSTEM. This vulnerability can also be used as persistence because the scheduled task will run regularly. Windows will warn the user about the presence of a file called C:\Program.exe when the system boots, which makes exploitation harder.

Adding quotes to the path when registering the task should fix the issue.

Steps to Reproduce:

  1. Install Windows 10 Pro on a fresh machine. We used Win10_1803_English_x64.iso (SHA1: 08FBB24627FA768F869C09F44C5D6C1E53A57A6F).

  2. Install all the available updates from Windows Update. KB4480730 will be installed at some point, which introduces the vulnerabilty.

  3. Place a file called Program.exe in C:\, we used vmmap in our example.

  4. Wait for the task to run or manually run it using taskschd.msc.

  5. Use process explorer to see that Program.exe has been executed as SYSTEM. Normally C:\Program Files\CUAssistant\culauncher.exe should have been executed.

Process details
Figure 2: Process details in ProcessHacker.

Disclosure

This vulnerability was reported to Microsoft but was closed as won’t fix.

https://ling.re/assets/images/2019-11-08-windows-10-culauncher-exploit/unquoted_path.png https://ling.re/assets/images/2019-11-08-windows-10-culauncher-exploit/process_details.png