lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0F734A62371342D29F61BC9B9982BBFA@W340>
Date: Thu, 10 Sep 2015 17:16:37 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

I wrote ... and forgot some mitigations:

[...]

> Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel"
> ~~~~~~~~~~~~~~~~  instead of mine for Windows NT4):
> 
> 1. get <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (this is a
>    32-bit executable [*]; the 64-bit executable is available on request);
> 
> 2. copy SENTINEL.DLL as %SystemRoot%\ACLUI.DLL (use the method shown
>    in <http://seclists.org/fulldisclosure/2015/Mar/92> to bypass UAC);
> 
> 3. execute %SystemRoot%\RegEdit.exe
> 
> 
> Mitigation(s):
> ~~~~~~~~~~~~~~
> 
> 1. For %! In (%SystemRoot%\*.exe
>               %SystemRoot%\*.dll) Do If Not Exist %SystemRoot%\System32\%~nx! MkLink /H %SystemRoot%\System32\%~nx! %!
> 
>   This but only helps if RegEdit.exe is not called with its fully
>   qualified pathname %SystemRoot%\RegEdit.exe
> 
> 2. Define ACLUI.DLL as "known DLL":
> 
>    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs]
>    "aclui"="ACLUI.DLL"

3. Prevent elevation of RegEdit.exe per UAC in "protected
   administrator" accounts:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
   "C:\Windows\RegEdit.Exe"="RUNASINVOKER"

   [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
   "C:\Windows\RegEdit.Exe"="RUNASINVOKER"

4. Demote your "protected administrator" account created during Windows
   setup to a standard user account.

   See <http://windows.microsoft.com/en-us/windows/user-accounts-faq>
   and <http://windows.microsoft.com/en-us/windows/change-users-account-type>:

   | When you set up Windows, you were required to create a user account.
   | This account is an administrator account that allows you to set up
   | your computer and install any programs that you'd like to use. Once
   | you finish setting up your computer, we recommend that you create a
   | standard account and use it for your everyday computing. If you create
   | new user accounts, you should also make them standard accounts. Using
   | standard accounts will help keep your computer more secure.


> [*] see <http://home.arcor.de/skanthak/sentinel.html>

stay tuned
Stefan Kanthak

PS: more than 22 years after introduction of Windows NT Microsoft STILL
    continues their VERY BAD and REALLY NASTY habit to give the user
    account(s) created during Windows setup administrative rights!

    No, UAC is NOT a security boundary, but just a convenience feature:
    see <https://support.microsoft.com/en-us/kb/2526083>,
    <https://blogs.msdn.com/b/e7/archive/2009/02/05/update-on-uac.aspx>,
    <https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx>,
    <https://technet.microsoft.com/en-us/magazine/2007.09.securitywatch.aspx>,
    <https://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx>, ...

    Jane and Joe Average will happily give consent to almost any program
    (like RegEdit.exe) which asks for elevated privileges, DESPITE most
    warnings!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ