lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B57F4B004EED4A3B847DAD1E4FF605EE@W340>
Date: Sun, 2 Sep 2018 00:10:17 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 57): installation of security updates fails on Windows Embedded POSReady 2009

Hi @ll,

on a multitude of machines running Windows Embedded POSReady 2009,
"automatic updates" show the well-known and never resolved bug which
lets the Windows Update Agent occupy one core (good luck if your CPU
has some of them and can afford to sacrifice one.-) for DAYS at 100%
load!

This nasty behaviour is documented for example in the MSKB articles
<https://support.microsoft.com/en-us/help/3102810> and
<https://support.microsoft.com/en-us/help/3102812>.

This bug has a rather LOOONG tradition; see for example
<https://blogs.technet.microsoft.com/asiasupp/2007/05/29/automatic-update-causes-svchost-exe-high-cpu/>.


But this bug is NOT subject of this post -- the story only starts
there...


Since I've dealt with this bug quite some times in the past decade
I know how to overcome it (see for example
<https://skanthak.homepage.t-online.de/slipstream.html>):
1. manually fetch the latest cumulative update for Internet Explorer,
2. install it,
3. then reboot and let "automatic updates" perform their duty again.


Step 1 was simple:
1.a) start the web browser and enter the URL
     <https://www.catalog.update.microsoft.com/Search.aspx?q=posready+2009>,
1.b) sort the updates by date,
1.c) find the latest cumulative update for IE,
1.d) then download the executable installer offered for your language.

This left me with the file
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
in my "Downloads" folder "C:\Dokumente und Einstellungen\Administrator\Downloads"

Since ALL downloads in the "Microsoft Update Catalog" are offered over
INSECURE HTTP: (see <http://seclists.org/fulldisclosure/2018/Feb/43>)
I checked the integrity of the downloaded executable:

C:\Dokumente und Einstellungen\Administrator\Downloads>CertUtil.exe /V /HashFile
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
SHA-1-Hash der Datei ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe:
fd 52 c3 ee 74 9c 7d 21 e0 c8 da 6d 9a cb 20 36 07 e2 5d a4
CertUtil: -hashfile-Befehl wurde erfolgreich ausgeführt.

Good, the SHA1 hash matches the filename (this was shown over the
secure HTTPS: connection to the Microsoft Update Catalog itself).

Right-click->Properties:"Digital signatures", then double-click on
the signature also yields "valid".


Good, lets proceed with step 2: install the downloaded update.

2.a) a double-click on
     ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
     presented TWO error message boxes with the following text:

| ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe - Auslagerungsdatei konnte nicht erstellt
werden
|
| (X) Exception Processing Message c0000145 Parameters c0000005 75b0bf7c 75b0bf7c 75b0bf7c
|
|                                  [  OK  ]

     OUCH!

JFTR: you'll see this GIBBERISH on ALL NON-english editions of
      Windows Embedded POSReady 2009 (and Windows XP too)!

      For the description and demonstration of this bug in NTDLL.dll,
      start reading <https://skanthak.homepage.t-online.de/fubar.html>


     Since I know this bug in NTDLL.dll since quite some time, I know
     that the "correct" error message box should have been

| ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe - Fehler in Anwendung
|
| (X) Die Anwendung konnte nicht richtig initialisiert werden (0xc0000005).
|     Klicken Sie auf "OK", um die Anwendung zu beenden.
|
|                                  [  OK  ]


2.b) on english editions of Windows Embedded POSReady 2009, execution of
     ie8-windowsxp-kb4343205-x86-embedded-enu_5cc2246031bd0a949785f6f1799610bff163224b.exe
     yields the error message box

| ie8-windowsxp-kb4343205-x86-embedded-enu_5cc2246031bd0a949785f6f1799610bff163224b.exe - Application Error
|
| (X) The application failed to initialize properly (0xc0000005).
|     Click OK to terminate the application.
|
|                                  [  OK  ]

     That's an "access violation" during process initialisation.


2.c) Let's run the application under the debugger:

C:\Dokumente und Einstellungen\Administrator\Downloads>NTSD.exe
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe

Microsoft (R) Windows User-Mode Debugger  Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Dokumente und
Einstellungen\Administrator\Downloads\ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe"
Loaded dbghelp extension DLL
Loaded exts extension DLL
Loaded ntsdexts extension DLL
Symbol search path is: SymSrv*SYMSRV.DLL*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols/Executable search path is:
ModLoad: 01000000 01020000   sfxcab.exe
ModLoad: 7c910000 7c9ca000   ntdll.dll
ModLoad: 7c800000 7c909000   C:\WINDOWS\System32\kernel32.dll
ModLoad: 77be0000 77c38000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 77da0000 77e4a000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 77e50000 77ee3000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000   C:\WINDOWS\System32\Secur32.dll
ModLoad: 7e360000 7e3f1000   C:\WINDOWS\System32\USER32.dll
ModLoad: 77ef0000 77f3a000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 5d450000 5d4ea000   C:\WINDOWS\System32\COMCTL32.dll
ModLoad: 7e670000 7ee92000   C:\WINDOWS\System32\SHELL32.dll
ModLoad: 77f40000 77fb7000   C:\WINDOWS\System32\SHLWAPI.dll
Break instruction exception - code 80000003 (first chance)
eax=00181eb4 ebx=7ffd9000 ecx=00000007 edx=00000080 esi=00181f48 edi=00181eb4
eip=7c91120e esp=0006fb20 ebp=0006fc94 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc               int     3
0:000> g
HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]:
 Heap block at 0008AC58 modified at 0008AE08 past requested size of 1a8
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break instruction exception - code 80000003 (first chance)
eax=0008ac58 ebx=0008ae08 ecx=7c92f927 edx=0006e182 esi=0008ac58 edi=000001a8
eip=7c91120e esp=0006e384 ebp=0006e388 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc               int     3
0:000> g
HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]:
 Invalid Address specified to RtlFreeHeap( 00080000, 0008AC60 )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break instruction exception - code 80000003 (first chance)
eax=0008ac58 ebx=0008ac58 ecx=7c92f927 edx=0006e192 esi=00080000 edi=0008ac58
eip=7c91120e esp=0006e39c ebp=0006e3a0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc               int     3
0:000> g
Access violation - code c0000005 (first chance)
eax=0008ae20 ebx=007d0032 ecx=00080210 edx=00000000 esi=0008ae18 edi=00300033
eip=7c92afa0 esp=0006e0f0 ebp=0006e30c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
ntdll!RtlAcquireResourceExclusive+5e1:
7c92afa0 8b0b             mov     ecx,[ebx]         ds:0023:007d0032=????????
0:000> gn
HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]:
 Heap missing last entry in committed range near 8ae18
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break instruction exception - code 80000003 (first chance)
eax=0008ae18 ebx=00080640 ecx=7c92f927 edx=0006e559 esi=00080588 edi=0008b148
eip=7c91120e esp=0006e764 ebp=0006e768 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc               int     3
0:000> gn
Access violation - code c0000005 (first chance)
eax=0008ae20 ebx=007d0032 ecx=000801b0 edx=00000000 esi=0008ae18 edi=00300033
eip=7c92afa0 esp=0006eb64 ebp=0006ed80 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
ntdll!RtlAcquireResourceExclusive+5e1:
7c92afa0 8b0b             mov     ecx,[ebx]         ds:0023:007d0032=????????
0:000> gn
Access violation - code c0000005 (first chance)
eax=00000010 ebx=7ffdf000 ecx=00000100 edx=00000190 esi=77f350e0 edi=01900010
eip=77ef64f1 esp=0006f2f8 ebp=0006f300 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
GDI32!GdiValidateHandle+75:
77ef64f1 38410a           cmp     [ecx+0xa],al            ds:0023:0000010a=??
0:000> gn
Access violation - code c0000005 (first chance)
eax=0006fc54 ebx=00000000 ecx=0006fca8 edx=7c91e514 esi=c0000005 edi=00000000
eip=7c977a96 esp=0006fc54 ebp=0006fca4 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlRaiseStatus+26:
7c977a96 c9               leave
0:000> q

     NICE! That looks like a buffer overrun on the heap, and the corrupted
     data then yields the "access violation".


2.d) Let's see if I can cure it:

C:\Documents and Settings\Administrator\Downloads>RENAME
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe ie8-windowsxp-kb4343205-x86-embedded-deu.exe
C:\Documents and Settings\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe

    The buffer overrun is gone, the update installs!
    If only someone had told the wise guys at Microsoft that MAX_PATH is
    260 characters, and that buffers have to be checked for overruns!
    What happened to the "trustworthy computing" initiative?


2.e) But WAIT, it's not over yet:

C:\Dokumente und Einstellungen\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe /X

     The /X option extracts the payload into an arbitrary directory; the
     default is the current directory, i.e.
     "C:\Dokumente und Einstellungen\Administrator\Downloads"

     This yields the error message box

| Dekomprimierung fehlgeschlagen
|
| (X) Datei ist beschädigt
|
|           [  OK  ]

     WTF? The file is supposed to be corrupt?
     It but installed successful, its checksums are correct!


JFTR: without the /X option, the executable self-extractor SFXCAB
      creates a directory with a random, up to 32 characters "short"
      name in the root directory of the drive with the most free space.


2.f) Let's see whether this error can be cured too by using a shorter path:

C:\Dokumente und Einstellungen\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe /X C:\Windows\Temp

     SUCCESS!

| Dekomprimierung abgeschlossen
|  ^
| /!\ Dekomprimierung abgeschlossen
| ¯¯¯
|           [  OK  ]

C:\Dokumente und Einstellungen\Administrator\Downloads>dir C:\Windows\Temp

 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: 8CDE-6034

 Verzeichnis von C:\Windows\Temp

01.09.2018  23:18    <DIR>                       .
01.09.2018  23:18    <DIR>                       ..
01.09.2018  23:18    <DIR>                       SP3QFE
01.09.2018  23:18    <DIR>                       update
01.02.2018  23:28            18.808              spmsg.dll
01.02.2018  23:28           234.872              spuninst.exe
               2 Datei(en)        253.680 Bytes
               4 Verzeichnis(se),  8.396.988.416 Bytes frei


stay tuned
Stefan Kanthak


PS: for the other bugs and vulnerabilities in Microsoft's SFXCAB
    see <http://seclists.org/fulldisclosure/2016/Jan/48> and/or
    <http://seclists.org/fulldisclosure/2018/Jul/72>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ