lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Jul 2018 14:44:56 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 55): new software built with 5.5 year old tool shows 20+ year old vulnerabilities

Hi @ll,

Microsoft released <https://support.microsoft.com/en-us/help/4340040/>
"July 2018 servicing release for Microsoft Desktop Optimization Pack"
some days ago.

<https://www.microsoft.com/en-us/download/details.aspx?id=57157> offers
three executable installers to update existing installations:
MBAM2.5_Client_x64_KB4340040.exe, MBAM2.5_Client_x86_KB4340040.exe and
MBAM2.5_X64_Server_KB4340040.exe


1. All three executable installers are susceptible to DLL spoofing, a
   vulnerability known for 20+ years: they load multiple system DLLs
   from their "application directory", typically the user's "Downloads"
   directory %USERPROFILE%\Downloads\, instead from Windows' "system
   directory" %SystemRoot%\System32\, resulting in arbitrary code
   execution.

   On a fully patched Windows 7 SP1, MBAM2.5_Client_x64_KB4340040.exe
   and MBAM2.5_Client_x86_KB4340040.exe load AT LEAST the following
   rogue DLLs:
       msls31.dll, propsys.dll, ntmarta.dll, version.dll, secur32.dll

   On a fully patched Windows 7 SP1, MBAM2.5_X64_Server_KB4340040.exe
   loads AT LEAST the following rogue DLLs:
       uxtheme.dll, cabinet.dll, msi.dll, version.dll

   For this well-known and well-documented BEGINNER'S ERROR see
   <https://cwe.mitre.org/data/definitions/426.html> and
   <https://cwe.mitre.org/data/definitions/427.html> plus
   <https://capec.mitre.org/data/definitions/471.html>.

   Additionally see Microsofts own guidance
   <https://technet.microsoft.com/en-us/library/2269637.aspx>,
   <https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
   <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
   <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
   for avoiding this beginner's error.

   Don't forget to recap Steve Sutton's "Windows NT Security Guidelines"
   <http://fy.chalmers.se/~appro/nt/nsaguide.pdf>, or ACROS Security's
   <https://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
   and <https://www.ipa.go.jp/security/english/vuln/20170928_dll_en.html>

   Demonstration/proof of concept:
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   a) follow the instructions from
      <https://skanthak.homepage.t-online.de/minesweeper.html>
      and build a minefield of 32-bit forwarder DLLs in your
      "Downloads" directory;

   b) download the executable installers via
      <https://www.microsoft.com/en-us/download/details.aspx?id=57157>
      and save them in your "Downloads" directory";

   c) execute MBAM2.5_Client_x86_KB4340040.exe and
      MBAM2.5_X64_Server_KB4340040.exe: notice the message boxes
      displayed from the DLLs built in step a!

   d) repeat step a to build a minefield of 64-bit forwarder DLLs.

   e) execute MBAM2.5_Client_x64_KB4340040.exe: notice the message
      boxes displayed from the DLLs built in step d!


2. In standard installations of Windows, where the user account
   created during Windows setup is used, the UNPRIVILEGED alias
   UNELEVATED user (or any program running under this account) can
   place arbitrary rogue DLLs in the "Downloads" directory, for
   example per "drive-by download". 

   JFTR: the precondition "user account created during setup" holds
         for the vast majority of all Windows installations.
         As published in your own "security intelligence reports"
         <https://www.microsoft.com/security/sir/>, from 50% to 75%
         of all about 600 million Windows installations which provide
         telemetry data have only one active user account.

   Since the "application manifest" embedded in
   MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe
   specifies "requireAdministrator", the first vulnerability then
   results in arbitrary code execution WITH escalation of privilege.


3. Although MBAM2.5_Client_x64_KB4340040.exe and
   MBAM2.5_Client_x86_KB4340040.exe run elevated, they extract their
   payload MBAM2.5-Client-KB00000.msp UNPROTECTED into the %TEMP%
   directory.

   For this well-known and well-documented BEGINNER'S ERROR see
   <https://cwe.mitre.org/data/definitions/377.html> and
   <https://cwe.mitre.org/data/definitions/379.html> plus
   <https://capec.mitre.org/data/definitions/29.html>

   In standard installations of Windows, where the user account
   created during Windows setup is used, the UNPRIVILEGED alias
   UNELEVATED user is the owner of the extracted payload and has
   FULL ACCESS to it. This allows modification of the extracted
   file(s) between creation and use.

   Since the payload is processed with administrative rights
   (MSIExec.exe runs under SYSTEM account) this second vulnerability
   results in escalation of privilege too.


4. Built with a COMPLETELY outdated version 3.7.1224.0 of Wix toolset
   <http://robmensching.com/blog/posts/2012/12/24/wix-v3.7-released/>,
   MBAM2.5_X64_Server_KB4340040.exe has the same well-known and well-
   documented vulnerabilities too.

   See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
   and subsequent security advisories from the creators of Wix toolset.

   Microsofts developers are most obviously UNABLE (or INCAPABLE?) to
   even keep their production environment up-to-date!
   Their managers most obviously don't care too, and their QA seems
   sound asleep.


5. MBAM2.5_X64_Server_KB4340040.exe extracts its payload, the real
   installer, into an UNPROTECTED subdirectory of %TEMP% using the
   hard-coded name "{cf45df76-7d9e-499f-8d93-64ec3ee76e20}" and
   executes it ELEVATED.

   The UNPROTECTED subdirectory allows modification of the extracted
   files between creation and use, resulting in elevation of privilege
   (or denial of service).


   Demonstration/proof of concept:
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   a) add the NTFS ACE "(D;OIIO;WP;;;WD)" to your %TEMP% directory;
      the ACE means "deny execution of files in this subdirectory for
      everyone, inheritable to files in all subdirectories".

   b) execute MBAM2.5_X64_Server_KB4340040.exe: notice its SILENT
      failure.

   c) create the following batch script in an arbitrary directory:

   --- kb4340040.cmd ---
   :LOOP
   @If Not Exist "%TEMP%\{cf45df76-7d9e-499f-8d93-64ec3ee76e20}" Goto :LOOP

   Rem Add some more loops here which wait for the creation of files
   Rem to be overwritten, and some copy commands to overwrite them ...
   --- EOF ---

   d) run the batch script, then execute MBAM2.5_X64_Server_KB4340040.exe


Mitigations:
~~~~~~~~~~~~

1. DON'T use executable installers; stay far away from such crap!

2. NEVER run executable installers from UNSAFE directories like
   "%USERPROFILE%\Downloads\" or "%TEMP%\"

3. Exercise STRICT privilege separation: use your privileged
   "Administrator" account (especially the account created during
   Windows setup) only for administrative tasks, and a COMPLETELY
   separate unprivileged "standard user" account for your own tasks.


stay tuned
Stefan Kanthak

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ