Aternity is software developed by Riverbed used to monitor the performance of applications and devices from the end user perspective. Software such as Aternity is a prime target for vulnerability research. “Monitoring” software typically installs hooks and performs process injection to track analytics. Doing so safely is not a trivial task; there may be implementation details an attacker may take advantage of. Additionally, there is incentive to install performance monitors on as many endpoints as possible for best breadth of coverage.
Vulnerability Overview
Vulnerable versions of the Aternity agent expose a handle to the agent process (running as SYSTEM) in processes with low and medium integrity levels.
Some low and medium integrity processes on this endpoint were observed to leak a handle the A180AG.exe process with PROCESS_ALL_ACCESS rights assigned to the object. An attacker may subsequently duplicate the leaked handle and perform a local privilege escalation (LPE).
Responsible Disclosure
Affected Versions: < 12.1.4.27
The vulnerability was reported to Riverbed and a patch has been issued.
References / Further Reading :
- https://aptw.tf/2022/02/10/leaked-handle-hunting.html
- https://twitter.com/last0x00
- https://twitter.com/APTortellini
- https://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/
- https://twitter.com/dronesec
- https://scorpiosoftware.net/2021/01/10/parent-process-vs-creator-process/
- https://github.com/bananabr/Givemeahand
Proof-of-Concept:
Available on GitHub.