Druva inSync Windows Client Local Privilege Escalation (CVE-2019-3999 Patch Bypass)

The Windows Druva inSync Client Service (inSyncCPHwnet64.exe) contains a path traversal vulnerability that can be exploited by a local, unauthenticated attacker to execute OS commands with SYSTEM privileges. When processing RPC type 5 requests over TCP port 6064, inSyncCPHwnet64.exe does not properly validate request data prior to passing it to the CreateProcessW() function. By sending a crafted RPC request, an attacker can elevate privileges to SYSTEM.

Specifically, this vulnerability exists due to an incomplete patch for CVE-2019-3999. Input validation was implemented to ensure only executables existing in the C:\ProgramData\Druva\inSync4\ directory can be executed, but this logic can be bypassed by using ..\ to traverse the directory tree structure. Validation is passed because the executable path leads with C:\ProgramData\Druva\inSync4\.

Proof of Concept (PoC)

See GitHub

druva_win_cphwnet64.py has been provided to demonstrate proof of concept. The PoC will execute a command of your choosing. Below is an example invocation of the script.

python druva_win_cphwnet64.py "C:\ProgramData\Druva\inSync4\..\..\..\Windows\system32\net.exe user /add druvatest"

Below is a log entry in inSyncCPH.log showing a successful exploitation attempt. Notice that the command 'net user /add druvatest' was executed.

25/02/2020 06:37:36	:Got a request to create a process for sysstate. converted: 82, cmd: C:\ProgramData\Druva\inSync4\..\..\..\Windows\system32\net.exe user /add druvatest
25/02/2020 06:37:36	:The binary C:\ProgramData\Druva\inSync4\..\..\..\Windows\system32\net.exe user /add druvatest is from insync path - C:\ProgramData\Druva\inSync4\. Will execute it 
25/02/2020 06:37:36	:Exit code for sysstate process is 0 and return value is 1