During a recent client engagement, the DGC (DiCicco, Gulman & Company) penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity. The Common Vulnerabilities and Exposures number is CVE-2021-27032, Autodesk Licensing Service: Local Privilege Escalation.
Because these software products are so widely deployed across the public and private sectors, vulnerabilities in Autodesk products pose a significant risk to many organizations, as Autodesk products are often used to generate and process intellectual property and other sensitive data. While a vulnerability in any one Autodesk product represents a risk to the organizations which happen to be using that specific piece of software, a vulnerability that affects nearly all Autodesk applications is considered a critical issue requiring immediate attention.
Autodesk is a global leader in 3D design and development software, and their products are ubiquitous across many industry verticals, including architecture, engineering, construction, design, and manufacturing. Organizations all over the world rely on Autodesk products, including AutoCAD, to aid in the design, development, and manufacturing of all kinds of products. Additionally, Autodesk software is widely deployed across the defense industrial base and critical infrastructure sectors.
The issue lies in the default permissions assigned to the Autodesk Licensing Service which runs as a locally privileged operating system account. The default privileges assigned to this service allow any authenticated user to modify the service configuration. This means that any low privileged user can abuse this vulnerable service configuration to execute code in the context of a highly privileged account, resulting in local privilege escalation. As a result, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This account requires local system access, meaning an attacker would first have to gain initial access to a system, prior to being able to escalate their privileges using this vulnerability.
Identification and Exploitation
Vulnerabilities related to insecure service configurations are nothing new in the world of information security, and as such, there are a number of offensive and defensive tools available to identify and exploit this class of vulnerabilities.
One of the best tools available is accesschk, which is part of the Windows SysInternals Suite. As well as being able to identify various types of service configuration weaknesses, this tool also provides additional benefits over some of the other offerings. These include the fact that this executable is signed by Microsoft, meaning it’s very unlikely to be flagged by antivirus vendors as potentially malicious, and may even bypass certain application whitelisting restrictions which require code to be signed by authorized developers in order to run on an endpoint. Better yet, this tool can be run “live” without ever requiring the executable itself to touch disk on a target system, thanks to the live versions of these tools available over the internet.
A command like the following can allow an attacker or penetration tester to mount and use the entire SysInternals suite of tools, without requiring any actual downloads:
net use Z: https://live.sysinternals.com
With the entire suite of tools available on the newly mounted “Z” drive, it is possible to enumerate all services and their permissions using the following command:
Z:\accesschk.exe -uwcqv *
Further, if we know what local groups our account is a member of, we can zoom in on those services granting permissions directly to our account or groups of which we are a member. For example, the following command can be used to identify services for which permissions have been assigned to the “Everyone” group:
Z:\accesschk.exe -uwcqv "Everyone" *
In the output of these commands, an attacker should look for any of the following privileges assigned to their user or a group of which they are a member. These permissions mean that the attacker can either directly modify the service configuration or grant themselves the necessary permissions to do so: SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS, GENERIC_WRITE, GENERIC_ALL, WRITE_DAC, and WRITE_OWNER.
Once a vulnerable service has been identified, all the attacker needs to do is modify the service configuration to point to a malicious executable of their choosing, for example, a reverse shell granting remote access to the system, or an executable designed to add a new local administrator account. When the service is stopped and restarted, the modified configuration will be executed, allowing the attacker to elevate privileges on the operating system.
DGC found and disclosed this vulnerability to the Autodesk Product Security Incident Response Team (PSIRT) immediately after discovering it during a penetration testing engagement. Because this vulnerability affected the entire Autodesk product suite, analysis and patching of the vulnerability took quite some time, but the PSIRT team was responsive and collaborative throughout the entire process. Autodesk has fixed this vulnerability in version 10.2.0.4231 of the affected service, and has provided a security advisory for their customers detailing the vulnerability and affected software versions.
If your organization leverages Autodesk products, patch immediately to mitigate the risk associated with this vulnerability before an attacker can exploit it to gain administrative privileges on systems where the affected software is installed!
If you have questions related to this vulnerability, or other steps you can take to assess and secure your environment, contact Scott Goodwin, OSCP, OSWP, CEH at 781-937-5722 / [email protected].
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.