lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 30 Jan 2018 12:35:09 +0100
From: "Stefan Kanthak" <>
To: <>
Cc: <>
Subject: Defense in depth -- the Microsoft way (part 49): fun with application manifests

Hi @ll,

Microsoft built several bugs^W^Wfollowing features into the
processing of (external) application manifests, i.e. XML files
named <program>.exe.manifest which can accompany any portable
executable <program>.exe

JFTR: the file extension ".exe" is only used per convention;
      CreateProcess() and Windows module loader execute
      portable executables independent of their file extension.

Feature #1:

External application manifests must have "execute file"
permission (although Windows module loader only reads them).

Demonstration/proof of concept:

On Windows 7, Windows Vista and Windows Embedded POSReady 2009
(alias Windows XP SP3) create empty files CScript.exe.manifest,
MSHTA.exe.manifest and/or WScript.exe.manifest in the "system"
directory %SystemRoot%\System32\, add the NTFS ACE "(D;;WP;;;WD)"
meaning "deny execution for everybody" to these files, then start
CScript.exe, MSHTA.exe and/or WScript.exe via Start->Execute
or per double-click ... and notice the message box telling you
"access denied".

The Win32 error code returned by CreateProcess() is indeed

On newer versions of Windows, find an arbitrary executable file
without embedded application manifest to reproduce this feature.

Feature #2:

The "encoding" XML property of application manifests must have
the value UTF-8.

Demonstration/proof of concept:

On Windows XP^WEmbedded POSReady 2009 and newer versions of
Windows, create the following perfectly valid XML file:

--- dummy.exe.manifest ---
<?xml version="1.0" encoding="US-ASCII" standalone="yes" ?>
--- EOF ---

Add it as resource of type 24 alias RT_MANIFEST with index 1
to an arbitrary portable executable, or place it next to a
portable executable "dummy.exe" without embedded application
manifest, then start "dummy.exe" via Start->Execute or per
double-click ... and notice the message box telling you
"The application can not be started. ..."

The Win32 error code returned by CreateProcess() is

Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any
other valid XML encoding except UTF-8 yields the same result.

stay tuned
Stefan Kanthak

Powered by blists - more mailing lists