2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview. This means that, although it still works on the mainstream version of Windows 10, you should expect it to be patched in the coming months.
This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo), which was fixed by Microsoft starting from build version 1903.
Starting from Windows 10, Microsoft introduced the
Update Session Orchestratorservice. As a regular user, you can interact with this service using COM, and start an "update scan" (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called
usoclient.exe, which serves that purpose.
From an attacker's standpoint, this service is interesting because it runs as
NT AUTHORITY\Systemand it tries to load a non-existent DLL (
windowscoredeviceinfo.dll) whenever an Update Session is created.
This means that, if we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of
C:\Windows\Sytem32\and then have it loaded by the USO service to get arbitrary code execution as
For more information:
Part 1 - https://itm4n.github.io/usodllloader-part1/
Part 2 - https://itm4n.github.io/usodllloader-part2/
Build the PoC
This solution is composed of two projects: WindowsCoreDeviceInfo and UsoDllLoader.
QueryDeviceInformation()function is called. That's the name of the function used by the USO workers.
- UsoDllLoader (optional)
usoclient.exe. It can be run as a regular user to interact with the USO service and have it load
windowscoredeviceinfo.dll. Then, it will try to connect to the bind shell. In case of errors, please read the "Known issues" section.
Build the solution
The solution is already preconfigured so compiling should be easy. I'm using Visual Studio 2019. It might not work with older versions.
- Build solution.
- Output: the DLL
.\x64\Release\WindowsCoreDeviceInfo.dlland the loader
Usage 1 - UsoDllLoader
For testing purposes, you can:
- As an administrator, copy
- Use the loader as a regular user.
- Hopefully enjoy a shell as
Usage 2 - UsoClient
UsoDllLoader.exefails, you can do the above manually.
- As an administrator, copy
- Use the command
usoclient StartInteractiveScanas a regular user. Note that you won't get any feedback from the command.
- Download netcat for Windows and use the command
nc.exe 127.0.0.1 1337to connect to the bindshell.
- Pending updates
- RPC errors
UsoDllLoader.exemight fail with various error codes. I didn't investigate these issues too much. The reason for this is that it's only a PoC, which I developped for convenience. What matters the most is the DLL, not the loader. See "Usage 2" for more details.