Be careful with PPKG files

While working on a Windows 10 lab, I discovered a weakness in the provisioning engine responsible for handling PPKG files.

Let’s say, you want you use PPKG files to provision a local admin account, you secure the PPKG file and install it to Window 10 (1507 version).

Imagine, your IT dept. gave you a brand new Windows 10 and used PPKG to install a local admin account.

If you’re logged in as a standard user, you can actually read the local admin password stored in clear text in configuration files. D’oh!

dir C:\ProgramData\Microsoft\Provisioning -inc *.xml -rec | 
sls 'password' -context 1,1

No need to find an Elevation of Privilege vulnerability or decrypt passwords stored in the group policy preferences (Remember MS14-025 and its CPassword vulnerability in GPP CVE-2014-1812 ?)

It appeared that the ACLs on “C:\ProgramData\Microsoft\Provisioning” allowed standard users to read the content.

I’ve contacted Microsoft about this issue, respected the coordinated vulnerability disclosure guidelines and waited for 90 days before reporting it publicly.

There’s also another kind of file that stores the password in clear text:

dir C:\ProgramData\Microsoft\Provisioning -inc *.provxml -rec | 
sls 'password'

ppkg-password-01

I’ve found that only Windows 10 RTM (1507 branch/Threshold1/10.0.10240) is at stake and that the issue has been addressed in the Threshold2 branch (1511 or 10.0.10586). The latest report I had from Microsoft about this issue also confirmed these findings.

I don’t know if the ACL on the Provisioning directory are corrected if you upgraded from the 1507 branch to the 1511 branch.
If you run 1507 LTSB version, I don’t know if you’re safe…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s