[<prev] [next>] [day] [month] [year] [list]
Message-ID: <063968AE73CE4F098C85CBBAEC690506@celsius>
Date: Sat, 31 May 2014 19:39:57 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 16): our
developers and their QA dont follow our own security recommendations
Hi @ll,
in a recent blog post titled "Load Library Safely"
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
Microsoft Security Research & Defense wrote:
| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location is
~~~~~~
| constant.
| * Load as data file when required.
| * Make use of code signing infrastructure or AppLocker.
Let's concentrate on the second point and see how well Microsoft follows
their own safety and security guidance:
- the locations of ALL libraries delivered with Windows are constant
and well-known.
- the locations of ALL installed files remain constant after their
installation, so ALL installation routines can safely write the
well-known fully qualified path to the registry, desktop.ini files,
shortcuts, ...
Quite some people pointed out this fact MANY times in the past, over
and over again.
JFTR: <http://msdn.microsoft.com/library/ms691424.aspx> specifies:
| InprocServer Specifies the path to the in-process server DLL.
~~~~
| LocalServer Specifies the full path to a 16-bit local server application.
~~~~~~~~~
| LocalServer32 Specifies the full path to a 32-bit local server application.
~~~~~~~~~
<http://msdn.microsoft.com/library/ms682390.aspx> specifies:
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| InprocServer32
| (Default) = path
~~~~
<http://msdn.microsoft.com/library/ms694328.aspx> specifies:
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| InprocServer
| (Default) = path
~~~~
<http://msdn.microsoft.com/library/ms682212.aspx> specifies:
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| DefaultIcon = path, resourceID
~~~~
...
| This is a REG_SZ value that specifies the full path to the executable
~~~~~~~~~
Now take a look at the registry of Windows 8.1 (as it comes on the DVD
available from <http://technet.microsoft.com/evalcenter/hh699156.aspx>,
inside the \sources\install.wim).
In no particular order, and of course not exhaustive (the full list is
available from <http://home.arcor.de/skanthak/download/W81_PATH.REG>):
[HKEY_CLASSES_ROOT\CLSID\{00020000-0000-0000-C000-000000000046}\InprocServer]
@="avifile.dll"
[HKEY_CLASSES_ROOT\CLSID\{5848A73D-E9C2-499E-BB92-887CABCB2BD6}\InprocHandler32]
@="ole32.dll"
[HKEY_CLASSES_ROOT\CLSID\{00021400-0000-0000-C000-000000000046}\shell\cmd]
@="@shell32.dll,-8506"
[HKEY_CLASSES_ROOT\CLSID\{289228DE-A31E-11D1-A19C-0000F875B132}\ToolboxBitmap32]
@="cic.dll, 1"
[HKEY_CLASSES_ROOT\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}\Instance\InitPropertyBag]
"command"="@shell32.dll,-12715"
[HKEY_CLASSES_ROOT\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"opentext"="@shell32.dll,-12706"
"properties"="inetcpl.cpl"
"propertiestext"="@shell32.dll,-12704"
[HKEY_CLASSES_ROOT\CLSID\{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"command"="@appwiz.cpl,-130"
"Param1"="appwiz.cpl,,3"
"Param2"="control.exe"
[HKEY_CLASSES_ROOT\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}]
"MenuTextPUI"="@explorerframe.dll,-13138"
[HKEY_CLASSES_ROOT\CLSID\{031EE060-67BC-460d-8847-E4A7C5E45A27}]
"Icon"="wmploc.dll,101"
[HKEY_CLASSES_ROOT\CLSID\{FC1EE10B-7EF6-41B5-BB60-98D26DD9FCD1}\MergedFolder]
"Location"="@shell32.dll,-9091"
[HKEY_CLASSES_ROOT\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}]
"LocalizedString"="@shell32.dll,-10114"
[HKEY_CLASSES_ROOT\accountpicturefile]
"FriendlyTypeName"="@Windows.UI.Immersive.dll,-38306"
[HKEY_CLASSES_ROOT\batfile\shell\runasuser]
@="@shell32.dll,-50944"
[HKEY_CLASSES_ROOT\CATFile\DefaultIcon]
@="cryptui.dll,-3418"
[HKEY_CLASSES_ROOT\CERFile\shell\add]
"MUIVerb"="@cryptext.dll,-6132"
[HKEY_CLASSES_ROOT\Network\SharingHandler]
@="ntshrui.dll"
[HKEY_CLASSES_ROOT\OLETransactionManagers\MSDTC]
"DLL"="MSDTCPRX.DLL"
[HKEY_CLASSES_ROOT\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail]
"IconPath"="explorer.exe,16"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}]
"$DLL"="WINTRUST.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay]
"Gateway"="dpnhpast.dll"
"Path"="dpwsockx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{0f3f3735-573d-9804-99e4-ab2a69ba5fd4}]
"ModuleName"="SecurityAuditPoliciesSnapIn.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{58221C6A-EA27-11CF-ADCF-00AA00A80033}]
"ProviderIndirect"="@filemgmt.dll,-3505"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{A2A54893-AAF2-49A3-B3F5-CC43CEBCC27C}]
"DescriptionIndirect"="@napdsnap.dll,-2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{DFFFAE4D-F0CF-46CD-9586-FE891237AB8A}]
"NameStringIndirect"="@comres.dll,-659"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh]
"napmontr"="napmontr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ip]
"ConfigDll"="ipadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ipv6]
"ConfigDll"="ipadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\UiConfigDlls]
"58bdf950-f471-11cf-aa67-00805f0c9232"="ifadmin.dll"
"58bdf951-f471-11cf-aa67-00805f0c9232"="ipadmin.dll"
"58bdf953-f471-11cf-aa67-00805f0c9232"="ddmadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols]
"ncacn_ip_tcp"="rpcrt4.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions]
"NdrOleExtDll"="Ole32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService]
"9"="sspicli.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"IGDSearcherDLL"="bitsigd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Glass
Colorization\Swatches\{FD81078C-1B36-4595-A92E-91F05C4FA5DC}]
"Resource"="themecpl.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin]
"WUSearchLibrary"="chkwudrv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder]
"Text"="@shell32.dll,-30498"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSWMPBurnCDOnArrival]
"Action"="@wmploc.dll,-6505"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPlayCDAudioOnArrival]
"Provider"="@wmploc.dll,-6502"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}]
"InfoTip"="@shell32,dll,-12692"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{0b2baaeb-0042-4dca-aa4d-3ee8648d03e5}\TopViews\{
82ba0782-5b7a-4569-b5d7-ec83085f08cc}]
"Name"="@shell32.dll,-34817"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\SILENT]
"HelpID"="iexplore.hlp#50283"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOTNET]
"PlugUIText"="@mscorier.dll,-1001"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Mail\Advanced Settings\Contact Conversion]
"Bitmap"="msoeres.dll,50"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Audit\SystemPolicy\System\SystemIntegrity]
"HelpText"="@auditpolmsg.dll,-734"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers]
"Adobe Type Manager"="atmfd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager]
"DiscoveryProviderDllPath"="PeerDistWSDDiscoProv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager]
"TransportDllPath"="PeerDistHttpTrans.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache]
"TransportDllPath"="PeerDistHttpTrans.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Discovery]
"ProviderDLLPath"="PeerDistAD.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}]
"ApplicationIdentity"="lsm.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileLoader\{F5441CBB-AE7D-4495-905B-161047E58936}]
"DllName"="userenv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg
Values\MACHINE/System/CurrentControlSet/Services/LDAP/LDAPClientIntegrity]
"DisplayChoices"=multi:"0|@...cedit.dll,-59073","1|@...cedit.dll,-59074","2|@...cedit.dll,-59075"
"DisplayName"="@wsecedit.dll,-59072"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
"DisplayName"="@gptext.dll,-205"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\PHSearchConnectors\StickyNotes\Default]
"Description"="@SNTSearch.dll,-504"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystemUtilities]
"IfsUtilExtension"="ifsutilx.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port]
"Driver"="WSDMon.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LanMan Print Services]
"Name"="win32spl.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Els\Services\{2D64B439-6CAF-4f6b-B688-E5D0F4FAA7D7}]
"Description"="@elscore.dll,-2"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs]
"DisplayName"="@combase.dll,-5010"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000401]
"Layout File"="KBDA1.DLL"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
"Icon"="shell32.dll#0016"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"LowIcon"="inetcpl.cpl#005426"
[HKEY_USERS\S-1-5-19\AppEvents\EventLabels\.Default]
"DispFileName"="@mmres.dll,-5824"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Names\.None]
@="@mmres.dll,-801"
[ 1669 more entries with unqualified filenames omitted ]
regards
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists