lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 4 Sep 2015 20:18:25 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 32): yet another (trivial) UAC bypass resp. privilege escalation

Hi @ll,

in <http://seclists.org/fulldisclosure/2013/Sep/132> I showed an
elaborated way for privilege elevation using IExpress (and other
self-extracting) installers containing *.MSI or *.MSP which works
"in certain situations".

Microsoft addressed this vulnerability with
<https://technet.microsoft.com/library/security/ms14-049.aspx>


In <http://seclists.org/fulldisclosure/2013/Oct/5> I showed an
indirect way for privilege elevation using IExpress installers
and "binary planting".


But there's a direct way too: just call any IExpress installer
(the Microsoft download center offers plenty of them) with a
command line of your choice, for example

CAPICOM-KB931906-v2102.exe /C:"%COMSPEC% /K Title PWNED!"

Due to UACs installer detection the given command line is executed
with full administrative privileges.

stay tuned
Stefan Kanthak

PS: this attack vector can be (ab)used with WSUS(pect)!

    Using legitimate IExpress packages like CAPICOM-KB931906-v2102.exe,
    RvkRoots.exe (cf. <https://support.microsoft.com/en-us/kb/3050995>)
    or RootsUpd-KB931125-*.exe which are distributed per Windows Update
    has the advantage that the clients %SystemRoot%\WindowsUpdate.log
    and their %SystemRoot%\SoftwareDistribution\Download folder dont
    show telltale signs of 3rd party executables (as used/proposed by
    the authors of WSUSpect).

JFTR: I *love* security fixes which are vulnerable themself.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ