lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 8 Sep 2015 19:04:34 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

Hi @ll,

part 31 (see <http://seclists.org/fulldisclosure/2015/Mar/92>)
showed how to execute arbitrary (rogue) executables planted as
%SystemRoot%\System32\RegEdit.exe, %SystemRoot%\System32\Explorer.exe
etc. instead of %SystemRoot%\RegEdit.exe, %SystemRoot%\Explorer.exe
etc., including a possible UAC bypass.

This works since Microsoft (mis)places these executables (for
historical "reasons") in %windir%\ alias %SystemRoot%\ (the path
returned from the GetWindowsDirectory() function), although the
hard-coded search order uses %SystemRoot%\System32\ (the path
returned from the GetSystemDirectory() function) before %windir%\
alias %SystemRoot%\

JFTR: in x64 versions of Windows these historical "reasons" are but
      abandoned completely for 32-bit executables: the 32-bit
      counterparts of all 64-bit executables located in %SystemRoot%\
      have been moved to %SystemRoot%\SysWoW64\.
      This is backwards compatible since %SystemRoot%\System32\ is
      redirected to %SystemRoot%\SysWoW64\ for 32-bit executables and
      due to the hard-coded search order, plus
      <https://msdn.microsoft.com/en-us/library/aa384187.aspx>:

      | Access to %windir%\regedit.exe is redirected to
      | %windir%\SysWOW64\regedit.exe. 

(Un)fortunately there is no redirection from %SystemRoot%\RegEdit.exe
to %SystemRoot%\System32\RegEdit.exe for 64-bit executables and in
x86 versions of Windows.

RegEdit.exe load various DLLs; since the hard-coded search order
(see <https://msdn.microsoft.com/en-us/library/ms682586.aspx>) uses
the application directory first it is possible to have it load
arbitrary (rogue) DLLs planted into %SystemRoot%\ instead of the
system DLLs installed in %SystemRoot%\System32\ (except for the
"known DLLs", see <https://support.microsoft.com/en-us/kb/164501>).

Of course any other executable (mis)placed in %SystemRoot%\ might be
(ab)used too!


Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel"
~~~~~~~~~~~~~~~~  instead of mine for Windows NT4):

1. get <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (this is a
   32-bit executable [*]; the 64-bit executable is available on request);

2. copy SENTINEL.DLL as %SystemRoot%\ACLUI.DLL (use the method shown
   in <http://seclists.org/fulldisclosure/2015/Mar/92> to bypass UAC);

3. execute %SystemRoot%\RegEdit.exe


Mitigation(s):
~~~~~~~~~~~~~~

1. For %! In (%SystemRoot%\*.exe
              %SystemRoot%\*.dll) Do If Not Exist %SystemRoot%\System32\%~nx! MkLink /H %SystemRoot%\System32\%~nx! %!

   This but only helps if RegEdit.exe is not called with its fully
   qualified pathname %SystemRoot%\RegEdit.exe

2. Define ACLUI.DLL as "known DLL":

   [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs]
   "aclui"="ACLUI.DLL"


stay tuned
Stefan Kanthak

[*] see <http://home.arcor.de/skanthak/sentinel.html>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ