Full Disclosure mailing list archives

By Date By Thread Defense in depth -- the Microsoft way (part 39): vulnerabilities, please meet the bar for security servicing From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Tue, 15 Mar 2016 20:05:58 +0100

Hi @ll, this multipart post does not require a MIME-compliant MUA.-) Part 0: ~~~~~~~ On Windows 7 (other versions of Windows not tested for this vulnerability, but are likely vulnerable too) all executable installers/self-extractors based on Microsoft's SFXCAB [*] load and execute a rogue CryptDll.dll from their application directory instead of %SystemRoot%\System32\CryptDll.dll. For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability; also see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html> If an attacker places CryptDll.dll in the user's "Downloads" directory (for example per "drive-by download" or "social engineering") this vulnerability becomes a remote code execution. The application manifest embedded in many/most of these executables specifies "requireAdministrator", so execution of CryptDll.dll results in an escalation of privilege then! Proof of concept/demonstration: 1. Download <http://home.arcor.de/skanthak/download/CRYPTDLL.DLL> and save it in your "Downloads" directory; 2. Download an arbitrary executable installer/self-extractor based on SFXCAB [*] from the Microsoft Download Center and save it in your "Downloads" directory, for example: 2.a MSEInstall.exe via <https://www.microsoft.com/en-us/download/details.aspx?id=5201> 2.b mssstool32.exe via <http://go.microsoft.com/fwlink/?LinkID=234123> 2.c ImagePackage32.exe via <http://go.microsoft.com/fwlink/?LinkID=267537> or <http://go.microsoft.com/fwlink/?LinkID=232568> 2.d VCRedist_x86.exe via <https://www.microsoft.com/en-us/download/details.aspx?id=40784> <https://www.microsoft.com/en-us/download/details.aspx?id=30679> <https://www.microsoft.com/en-us/download/details.aspx?id=8328> <https://www.microsoft.com/en-us/download/details.aspx?id=5555> ... 2.e VC-Compiler-KB2519277.exe via <http://www.microsoft.com/en-us/download/details.aspx?id=4422> (several hundred to thousand vulnerable installers omitted ...) 2.zzz Silverlight.exe via <http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx> 3. Run any executable installer/self-extractor based on SFXCAB from your "Downloads" directory; 4. Notice the message boxes displayed from CryptDll.dll downloaded in step 1: PWNED! Response from Microsoft's Security Response Center: | Upon investigation this application directory binary planting | issue does not meet the bar for security servicing. See but CVE-2016-0014 alias MS16-007, CVE-2014-0315 alias MS14-019, CVE-2015-8264, CVE-2016-1281, CVE-2016-0603, CVE-2016-0602 and many more fixed vulnerabilities of exactly this kind! Part 1: MSRC case 31723 ~~~~~~~~~~~~~~~~~~~~~~~ On all supported versions of Windows the AntiMalware Definition Updaters MPAM-D.exe and MPAM-FE[x64].exe (see <https://support.microsoft.com/en-us/kb/935934>, <https://technet.microsoft.com/en-us/library/gg398041.aspx> and <https://www.microsoft.com/security/portal/definitions/adl.aspx>) load and execute a rogue Cabinet.dll from their application directory instead of %SystemRoot%\System32\Cabinet.dll Proof of concept/demonstration: 1. Download <http://home.arcor.de/skanthak/download/CABINET.DLL> and save it in your "Downloads" directory; 2. download MPAM-D.exe or MPAM-FE.exe and save it in your "Downloads" directory; 3. Run MPAM-D.exe or MPAM-FE.exe; 4. Notice the message boxes displayed from Cabinet.dll downloaded in step 1: PWNED! Response from Microsoft's Security Response Center: | Since this requires a user to run executables or installers from | an untrusted location it does not meet the bar for servicing via | bulletin. Apparently the MSRC never read the instructions given on <https://www.microsoft.com/security/portal/definitions/adl.aspx> | Antimalware and antispyware updates ... | To download these updates: | 1. Check whether your version of Windows is 32-bit or 64-bit. | 2. In the table below, right-click on the link that will work | for your version of Windows and choose Save target as... or | Save link as... | 3. Save the file to your Desktop. | 4. When the file has finished downloading, go to your Desktop | and double-click the file (it will be called mpam-fe.exe, | mpas-fe.exe, or mpam-feX64.exe). | 5. Follow the prompts to install the update. and considers the "Desktop" an trusted location, despite <https://support.microsoft.com/en-us/kb/959426> alias <https://technet.microsoft.com/en-us/library/ms09-014.aspx> plus <https://blogs.technet.com/b/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx>, <https://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx> and <https://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx> Part 2: MSRC case 32352 ~~~~~~~~~~~~~~~~~~~~~~~ On Windows 7 (other versions of Windows not tested for this vulnerability, but are likely vulnerable too) LoadLibrary("URL.dll") as well as LoadLibrary("C:\Windows\System32\URL.dll) load and execute a rogue OLEAcc.dll from the application directory of the calling program instead of %SystemRoot%\System32\OLEAcc.dll. Proof of concept/demonstration: Adapt the PoC from part 3. JFTR: URL.dll is a load-time dependency of quite some other DLLs and programs! Part 3: MSRC case 32432 ~~~~~~~~~~~~~~~~~~~~~~~ On Windows XP and its still (til April 2019) serviced cousin Windows Embedded POSReady 2009 LoadLibrary("CryptUI.dll") as well as LoadLibrary("C:\Windows\System32\CryptUI.dll") load a rogue RichEd20.dll from the application directory of the calling program instead of %SystemRoot%\System32\RichEd20.dll Proof of concept/demonstration: 1. Compile and link the following program as CryptUI.exe: #include <windows.h> void WinMainCRTStartup(void) { HMODULE hModule = INVALID_HANDLE_VALUE; if ((hModule = LoadLibrary("CryptUI.dll")) == NULL) ExitProcess(GetLastError()); if (!FreeLibrary(hModule)) ExitProcess(GetLastError()); ExitProcess(0L); } or download the compiled program from <http://home.arcor.de/skanthak/temp/CRYPTUI.EXE>, then save it in your "Downloads" directory; 2. Download <http://home.arcor.de/skanthak/download/RICHED20.DLL> and save it in your "Downloads" directory; 3. Run CryptUI.exe; 4. Notice the message boxes displayed from RichEd20.dll downloaded in step 2: PWNED! JFTR: CryptUI.dll is a dependency of quite some other DLLs, for example ShDocVw.dll and URL.dll. Response from Microsoft's Security Response Center: | This is an application directory behavior and it does not | currently meet the bar for a security servicing update. Of course Microsoft's own documentation advises how to avoid these bloody beginner's errors: see <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>: | To ensure secure loading of libraries | * Use proper DLL search order. | * Always specify the fully qualified path when the library ~~~~~~ | location is constant. Part 4: MSRC case 32250 ~~~~~~~~~~~~~~~~~~~~~~~ On Windows 7, Windows XP and its still (til April 2019) serviced cousin Windows Embedded POSReady 2009 (other versions of Windows not tested for this vulnerability, but are likely vulnerable too) ShellExecuteEx() and ShellExecute() load and execute several DLLs from the application directory of the calling program instead the system directory %SystemRoot%\System32\ Proof of concept/demonstration: 1. Compile and link the following program as ShlExecX.exe: #include <windows.h> #include <shellapi.h> #include <objbase.h> void WinMainCRTStartup(void) { HRESULT hr = S_OK; DWORD dwError = ERROR_SUCCESS; SHELLEXECUTEINFO sei = {sizeof(sei)}; if ((hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE)) != S_OK) dwError = hr; else { sei.fMask = SEE_MASK_FLAG_DDEWAIT; sei.nShow = SW_SHOWNORMAL; sei.lpFile = "."; // try "*" or other names too! sei.lpVerb = NULL; if (!ShellExecuteEx(&sei)) dwError = GetLastError(); } CoUninitialize(); ExitProcess(dwError); } or download the compiled program from <http://home.arcor.de/skanthak/temp/SHLEXECX.EXE> and save it in your "Downloads" directory; An alternative version which calls ShellExecute() instead of ShellExecuteEx() is available as <http://home.arcor.de/skanthak/temp/SHLEXEC.EXE> 2. Download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as DWMAPI.dll in your "Downloads" directory, then copy it as SetupAPI.dll, COMRes.dll and ClbCatQ.dll; 3. Download <http://home.arcor.de/skanthak/download/WTSAPI32.DLL>, <http://home.arcor.de/skanthak/download/UXTHEME.DLL>, <http://home.arcor.de/skanthak/download/RICHED20.DLL> and save them in your "Downloads" directory; 4. Run ShlExecX.exe or ShlExec.exe; 5. Notice the message boxes displayed from the DLLs downloaded in steps 2 and 3: PWNED! No response from Microsoft's Security Response Center since 10 weeks! No answer to a status request since 10 days. stay tuned Stefan Kanthak [*] executable installers/self-extractor based on SFXCAB.EXE may be identified via their embedded manifest (resource type 24, resource id 1): <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="sfxcab.exe" type="win32"> ~~~~~~~~~~~~~~~~~ </assemblyIdentity> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"> </ms_asmv2:requestedExecutionLevel> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo> </assembly> or <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="6.3.18.0" processorArchitecture="X86" name="sfxcab" type="win32"> ~~~~~~~~~~~~~ </assemblyIdentity> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> </application> </compatibility> <description>setup</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"> </requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Defense in depth -- the Microsoft way (part 39): vulnerabilities, please meet the bar for security servicing Stefan Kanthak (Mar 17)