Two years ago (march 2020), I found this sort of “vulnerability” in Folder Redirection policy and reported it to MSRC. They acknowledged it with CVE-2021-26887 even if they did not really fix the issue (“folder redirection component interacts with the underlying NTFS file system has made this vulnerability particularly challenging to fix”). The proposed solution was reconfiguring Folder Redirection with Offline files and restricting permission.
I completely forgot about this case until the last few days when I came across my report and then decided to publish my findings (don’t expect nothing very sophisticated)
There is also an “important” update at the end.. so keep on reading 🙂
If “Folder Redirection” has been enabled via Group Policy and the redirected folders are hosted on a network share, it is possible for a standard user who has access on this file server to access other user’s folders and files (information disclosure) and eventually perform code execution and privilege escalation
In this example I used 3 VM’s:
On the domain controller I create a “Folder Redirection” Policy. In my example, I’m going to use the “Default Domain Policy” and redirect two folders, the user’s “Documents” and “AppData” Folder on a network share located on server “S01”.
The policy can be found in the SYSVOL share of the DC’s:
The folder redirected share is accessible via network path \\S01\users$. The permissions on this folder have been configured on server “S01” according to MS document: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
In my case “S01\Users” group is the group which will be applied the policy because this group contains the “Domain Users” groups too.
Each time domain user login to the domain the documents & appdata folders (in this case) are saved on the network share. If it the first time the user logs in, the necessary directories are created under the share with strict permissions:
Someone could think to create the necessary directories before the domain users logs in, grant himself and the domain user full control and then access this private folder and data afterwards.
This is not possible, because during the first logon, if the folder already exists, a strict check on ownership and permissions are made and if they don’t match the folder will not be used. (I verified this with “procmon”)
But if the shared directory has valid permissions and owner, during the subsequent logins, no more checks on permissions are made and this could be a potential security issue.
How can I accomplish this? This is what I will do:
As a standard local/domain user login on the server where the shares are hosted (I know this is not so common..)
I will create a “junction” for the “a new” user who did not login to domain up to now or did not apply the Folder Redirection policy. (Finding “new” users is a real easy task for a standard domain user, so I won’t explain it). In my case, for example, “domainuser3”
Now I have to wait for domainuser3 to login from his Windows 10 (in my case) Documents…)
The Folder Redirection policy has been applied and permissions are set on the folders.
But as we can see on the fileserver S01, my junction point has been followed too, the real location of the folders is here:
Now, all the malicious user “localuser” has to do is wait for the domainuser3 logoff , delete the junction , create the new folders under the original share:
… and the set the permissions (Documents & AppData in our case) so that “everyone” will be granted full control:
Given that in my case the “AppData” folder is also redirected, we could place a “malicious” program in the user’s Startup folder which will then be executed at login (for example a reverse shell)
At this point, “localuser” has to wait for the next login of “domainuser3”
And will get a shell impersonating domainuser3 (imagine if it was a high privileged user):
Of course he will be able to access with full control permissions the documents folder:
Even if the pre-conditions are not so “common”, this vulnerability could easily lead to information disclosure and EoP.
So far the report, but when I read again the mitigations suggested by MS something was not so clear. The first time the user logs in, the necessary security checks are performed, so why did they say that it was not possible to fix? All they had to do was to perform these checks not only at the first logon, right?
My best guess is that if the profile, or more precisely the registry entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<user_sid> is not found, checks are performed otherwise skipped.
A quick test demonstrated that I was right, after the first logon, I deleted the registry entry and security checks were again performed.
Maybe that the answer is in fdeploy.dll, for example in CEngine::_ProcessFRPolicy, I need to investigate further… or maybe I’m missing something, but this exercise is left to the reader.
That’s all 😉