| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Dec 2015 14:36:23 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>,
<bugtraq@...urityfocus.com>
Cc: pctech@...ltek.com, contact_us@...ltek.com, alan_wang@...r.com
Subject: [FD] Defense in depth -- the Microsoft way (part 37): MMC.exe and
DrvInst.exe load and execute ".dll" with elevated resp.
SYSTEM privileges
Hi @ll,
on Windows 7 (I did not check other versions of Windows, but I'm
confident that the underlying bug is present in Windows Vista,
Windows Server 2008 [R2], Windows 8[.1] and Windows Server 2012 [R2],
i.e. all versions of Windows NT6.x too) the system utilities MMC.exe
and DrvInst.exe load and execute a DLL named ".dll", resulting in
escalation of privilege.
Since no system DLL by the name ".dll" exists it is loaded via the DLL
search path (see <https://msdn.microsoft.com/en-us/library/ms682586.aspx>)
Proof of concept for MMC.exe:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
(see <http://home.arcor.de/skanthak/sentinel.html> for details)
and save it as .DLL ['] in an arbitrary directory of your choice;
2. add this directory to the user's (not the system's) PATH [²];
3. download the current Realtek PCIexpress ethernet NIC driver from
<http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0012-Install_Win7_7097_11232015.zip>
(via <http://www.realtek.com/downloads/>);
4. open the downloaded 0012-Install_Win7_7097_11232015.zip and
extract the contents of the "directory"
Install_Win7_7097_11232015\WIN7\32
from the .ZIP to an(other) arbitrary directory of your choice;
5. start device manager (i.e. MMC.exe DevMgmt.msc) [³] and install
the Realtek ethernet NIC driver from the directory choosen in
step 4;
6. sse the message box displayed from DllMain() of the loaded .DLL [']
Proof of concept for DrvInst.exe:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
(see <http://home.arcor.de/skanthak/sentinel.html> for details)
and save it as .DLL ['] in an arbitrary directory of your choice;
2a. add this directory to the system's PATH
(yes, this requires administrative privileges [³]);
OR
2b. run the following 2 commands to "copy" the downloaded .DLL to
%SystemRoot%\System32:
MakeCab.exe .DLL "%TEMP%\dummy.cab"
WUSA.exe "%TEMP%\dummy.cab" /Extract:%SystemRoot%\System32
(yes, this requires administrative privileges [³]);
3. download the Realtek card reader driver from
<http://global-download.acer.com/GDFiles/Driver/CardReader/CardReader_Realtek_6.3.9600.21257_W7x64_A.zip>
(via <http://support.acer.com/downloads/>)
4. open the downloaded CardReader_Realtek_6.3.9600.21257_W7x64_A.zip
and extract the contents of the "directory"
CardReader_Realtek_6.3.9600.21257_W7x64\DrvBin32
from the .ZIP to an(other) arbitrary directory of your choice;
5. start device manager (i.e. MMC.exe DevMgmt.msc) [²] and install
the Realtek card reader driver from the directory choosen in
step 4;
6. start event viewer (i.e. MMC.exe EventVwr.msc) [²] and find the
event log entry from source "Vulnerability and Exploit Detector"
generated from DllMain() of the loaded .DLL ['] (DrvInst.exe
runs in the non-interactive "session 0", so SENTINEL.DLL doesn't
display a message box and writes an event log entry only).
stay tuned
Stefan Kanthak
['] yes, that's a valid Win32 filename; a DLL named ".dll" is loaded
via the following (obviously erroneous) calls of Win32 API
functions:
* LoadLibraryA(""),
* LoadLibraryA(L"<arbitrary UNICODE string>"),
* LoadLibraryW(L""),
* LoadLibraryExA("", ...),
* LoadLibraryExA(L"<arbitrary UNICODE string>", ...),
* LoadLibraryExW(L"", ...)
The most probable cause is feeding of a UNICODE string to the
ANSI functions.
This bug may be triggered via other execution paths in MMC.exe,
via installation of other drivers or via other .MSC too!
PS: %SystemRoot%\System32\WBEM\WMIPrvSE.exe and SysInternals VMMap.exe
show this bug too!
[²] of course the system's PATH may be used instead, or the method
shown in step 2b. for the DrvInst.exe exploit.
[³] in Windows' default configuration this does NOT trigger the user
account control!
Timeline:
~~~~~~~~~
2015-12-04 vulnerability reports sent to MSRC
2015-12-04 response from MSRC regarding DrvInst.exe:
"unauthenticated users can't change path" and
"for WUSA.exe to work you require the system to be configured
by the user in a non-default manner"
2015-12-04 OUCH! sent to MSRC:
WUSA.exe <.CAB archive> /Extract:<destination directory>
works in DEFAULT configuration of Windows 7, Windows Server
2008 R2, Windows 8[.1] and Windows Server 2012 [R2]
2015-12-04 response from MSRC regarding MMC.exe:
"unauthenticated users can't change path"
2015-12-05 OUCH! sent to MSRC:
users can change their own PATH, and user's PATH is
appended to the system's PATH
2015-12-05 response from MSRC:
this does not meet the bar for security servicing.
2015-12-05 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists