Windows Local WebDAV NTLM Reflection Elevation of Privilege
Platform: Windows 8.1 Update, Windows 7
Class: Elevation of Privilege
Disclosure Date: 18th March 2015
Reference: https://code.google.com/p/google-security-research/issues/detail?id=222

Summary:
A default installation of Windows 7/8 can be made to perform a NTLM
reflection attack through WebDAV which allows a local user to elevate
privileges to local system. It can also be used to escape application
sandboxes if TCP socket access is not blocked.

This issue was reported to Microsoft Security Response Center in
December 2014. Microsoft have decided not to change the default
behaviour to fix this issue, therefore all current Windows client
platforms are vulnerable to this privilege escalation unless
mitigations are applied.

Description:

NTLM reflection is a well known issue with Windows authentication.
It’s typically abused in networked scenarios to reflect credentials
from one machine to another. It used to be possible to reflect
credentials back to the same machine but that was mitigated in
MS08-068 by not honouring NTLM authentication sessions already in
flight. However this did nothing to stop cross-protocol attacks.

It’s possible to abuse cross-protocol NTLM reflection to attack the
local SMB server by forcing a local system process to access a WebDAV
UNC path. The NTLM authentication can then be reflected locally
authenticating to the Server service as NT AUTHORITY\SYSTEM. From this
it’s possible to elevate privileges by writing files to the admin
shares or connecting to the service manager named pipe.

This issue is known about and mitigations were created, such as
Extended Protection for Authentication. However due to compatibility
concerns these mitigations are not enabled by default. As Microsoft
will not be issuing a security bulletin for this issue following the
mitigation guidance below.

Mitigations:

By default all Windows client installations are vulnerable. Even
though the WebClient service is not started by default it’s possible
to start it using service triggers. The recommended fixes for this
issue are:

* Enable SMB signing, or,
* Enable SMB Server SPN verification

Please see the following references for more information on the issue
and how to configure the mitigations.

Security Advisory: https://technet.microsoft.com/library/security/973811
KB Article: http://support.microsoft.com/kb/973811
SMB EPA KB article http://support.microsoft.com/kb/2345886

You can also disable the WebClient service completely, however that
only mitigates this specific expression, it might be possible to
achieve the exploitation in other ways, such as DCE/RPC.

Disclosure Timeline:

- 18 Dec 2014: Sent Microsoft details of issue and proof-of-concept
- 18 Dec 2014: Received confirmation and MSRC case number 21243
- 20 Jan 2015: Received correspondence from Microsoft detailing their
thoughts that it’s a known issue and due to application compatibility
concerns mitigations default to off
- 20 Jan 2015: Requested clarification on whether Microsoft intended
to fix the issue or not
- 10 Mar 2015: Notified Microsoft of the upcoming 90 day deadline
- 18 Mar 2015: Got final response from Microsoft indicating they would
not be fixing the issue and consider mitigations sufficient
- 18 Mar 2015: Marked as WontFix and removed view restriction on the issue