| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Jan 2018 12:35:09 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 49): fun with
application manifests
Hi @ll,
Microsoft built several bugs^W^Wfollowing features into the
processing of (external) application manifests, i.e. XML files
named <program>.exe.manifest which can accompany any portable
executable <program>.exe
JFTR: the file extension ".exe" is only used per convention;
CreateProcess() and Windows module loader execute
portable executables independent of their file extension.
Feature #1:
~~~~~~~~~~~
External application manifests must have "execute file"
permission (although Windows module loader only reads them).
Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Windows 7, Windows Vista and Windows Embedded POSReady 2009
(alias Windows XP SP3) create empty files CScript.exe.manifest,
MSHTA.exe.manifest and/or WScript.exe.manifest in the "system"
directory %SystemRoot%\System32\, add the NTFS ACE "(D;;WP;;;WD)"
meaning "deny execution for everybody" to these files, then start
CScript.exe, MSHTA.exe and/or WScript.exe via Start->Execute
or per double-click ... and notice the message box telling you
"access denied".
The Win32 error code returned by CreateProcess() is indeed
ERROR_ACCESS_DENIED
On newer versions of Windows, find an arbitrary executable file
without embedded application manifest to reproduce this feature.
Feature #2:
~~~~~~~~~~~
The "encoding" XML property of application manifests must have
the value UTF-8.
Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Windows XP^WEmbedded POSReady 2009 and newer versions of
Windows, create the following perfectly valid XML file:
--- dummy.exe.manifest ---
<?xml version="1.0" encoding="US-ASCII" standalone="yes" ?>
<assembly
manifestVersion="1.0"
xmlns="urn:schemas-microsoft-com:asm.v1">
</assembly>
--- EOF ---
Add it as resource of type 24 alias RT_MANIFEST with index 1
to an arbitrary portable executable, or place it next to a
portable executable "dummy.exe" without embedded application
manifest, then start "dummy.exe" via Start->Execute or per
double-click ... and notice the message box telling you
"The application can not be started. ..."
The Win32 error code returned by CreateProcess() is
ERROR_SXS_CANT_GEN_ACTCTX
Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any
other valid XML encoding except UTF-8 yields the same result.
stay tuned
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists