| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Feb 2018 21:07:46 -0500 From: Jeffrey Walton <noloader@...il.com> To: Stefan Kanthak <stefan.kanthak@...go.de> Cc: Full Disclosure List <fulldisclosure@...lists.org>, BugTraq <bugtraq@...urityfocus.com> Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak@...go.de> wrote: > Hi @ll, > > since about two or three years now, Microsoft offers Skype as > optional update on Windows/Microsoft Update. > > JFTR: for Microsoft's euphemistic use of "update" see > <http://seclists.org/fulldisclosure/2018/Feb/17> > > Once installed, Skype uses its own proprietary update mechanism > instead of Windows/Microsoft Update: Skype periodically runs > "%ProgramFiles%\Skype\Updater\Updater.exe" > under the SYSTEM account. > When an update is available, Updater.exe copies/extracts another > executable as "%SystemRoot%\Temp\SKY<abcd>.tmp" and executes it > using the command line > "%SystemRoot%\Temp\SKY<abcd>.tmp" /QUIET > > This executable is vulnerable to DLL hijacking: it loads at least > UXTheme.dll from its application directory %SystemRoot%\Temp\ > instead from Windows' system directory. > > An unprivileged (local) user who is able to place UXTheme.dll or > any of the other DLLs loaded by the vulnerable executable in > %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM > account. > > > The attack vector is well-known and well-documented as CAPEC-471: > <https://capec.mitre.org/data/definitions/471.html> > > Microsoft published plenty advice/guidance to avoid this beginner's > error: <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, > <https://technet.microsoft.com/en-us/library/2269637.aspx>, > <https://support.microsoft.com/en-us/help/2389418/secure-loading-of-libraries-to-prevent-dll-preloading-attacks> > and > <https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/> > ... which their own developers and their QA but seem to ignore! > > See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440> > for the same vulnerability in another Microsoft product! Not sure if this is related, but: https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/ Microsoft today squashed a bug that was found in Skype’s updater process earlier this week. However, it seems the company’s method for stopping the flaw is to kill off the Skype classic experience. If that is the case, users of Skype on Windows 7 and Windows 8.1 could lose access to the service. As reported on Monday, a security vulnerability could give hackers access to system-level privileges. If properly exploited, attackers could use Skype as a backdoor to get full system rights and enter all areas of an operating system. In response, Microsoft said it was unable to fix the bug immediately because it would require a lot of work. Indeed, the company said patch the flaw would take a massive code rewrite. In other words, Microsoft would need to overhaul the whole underpinning of the classic Skype program. It seems Microsoft found an alternative to rewriting code and fixing Skype… the company has decided to effectively kill off the classic app. The older version of Skype is no longer available anywhere as a download. ... _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists