Autodesk Desktop Application – Privilege Escalation to SYSTEM (CVE-2019-7365)
December 2nd, 2019
Security Researcher, SafeBreach Labs
SafeBreach Labs discovered a new vulnerability in Autodesk Desktop Application software.
In this post, we will demonstrate how this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITYSYSTEM.
Autodesk Desktop Application
The Autodesk desktop app is a desktop component that is installed with Microsoft Windows-based Autodesk products (2017 and later). It delivers product updates, new releases, and security patches to subscribers.
Some part of the software runs as a Windows service executed as “NT AUTHORITYSYSTEM,” which provides it with very powerful permissions
In this post, we describe the vulnerability we found in the Autodesk Desktop Application software.
We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITYSYSTEM level privileges.
In our initial exploration of the software, we targeted the “AutoDesk Desktop App” (AdAppMgrSvc.exe) service which is deployed with the AutoCAD 2019 software.
We chose this service for the following reasons:
- It runs as NT AUTHORITYSYSTEM – the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very powerful and useful to an attacker.
- The executable of the service is signed by AutoDesk and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.
- This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.
In our exploration, we found that this service was started as a signed process and executed as NT AUTHORITYSYSTEM.
Once executed, we noticed an interesting behavior:
As you can see, the services were trying to load a missing DLL file from different directories within the PATH environment variable.
On our VM, Python 2.7 is installed. The c:python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITYSYSTEM.
It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.
In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:
- The name of the process which loaded it
- The username which executed it
- The name of the DLL file
We were able to load an arbitrary DLL as a regular user and execute our code within a process which is signed by AutoDesk Inc. as NT AUTHORITYSYSTEM.
Root Cause Analysis
Once the “AutoDesk Desktop App” service (AdAppMgrSvc.exe), the Qt5Core_Ad_5.dll library is loaded.
The “Qt5Core_Ad_5.dll” library tries to load the “wlanapi.dll.dll” library by calling LoadLibraryW.
There are two root causes for this vulnerability:
- The lack of safe DLL loading due to having an uncontrolled search path – In this case, it is necessary to use the SetDefaultDllDirectories / LoadLibraryEx functions in order to control the paths from which a DLL can be loaded within the scope of the executable.
- No digital certificate validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
Below we show three possible ways that an attacker can leverage the CVE-2019-7365 vulnerability we discovered and documented above.
Signed Execution and Whitelisting Bypass
The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.
After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data. The service provides him with the ability to operate as NT AUTHORITYSYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer.
Autodesk Desktop Accessory
July 31th, 2019 – Vulnerability Reported
Aug 1st, 2019 – Initial Response from HackerOne
Aug 12th, 2019 – Autodesk has confirmed the vulnerability
Aug 14th, 2019 – HackerOne has set the severity of the case to CVSS 6.8
Aug 27th, 2019 – Status update from AutoDesk
Sep 9th, 2019 – Status update from AutoDesk
Sep 16th, 2019 – AutoDesk has issued CVE-2019-7365
Oct 29th, 2019 – AutoDesk shared a timeline for a patch deployment
Nov 15th, 2019 – AutoDesk said that they will publish an advisory on November 26th