lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 Jun 2014 22:27:08 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 17): even a
	one-line script is vulnerable

Hi @ll,

the batch script WINRM.CMD, which contains just the single line

@cscript //nologo "%~dpn0.vbs" %*

allows a binary planting or squatting attack: WINRM.CMD executes a
rogue CSCRIPT.COM, CSCRIPT.EXE, CSCRIPT.BAT, CSCRIPT.CMD etc. (see
environment variable PATHEXT) from the current working directory.

Proof of concept:

1. Start CMD.EXE

2. CHDIR /D "<arbitrary writable directory>"
   (for example "%USERPROFILE%\Desktop", "%USERPROFILE%\Downloads",
   "%HOMEDRIVE%%HOMEPATH%" or "%TEMP%")

3. COPY "<arbitrary executable>" .\CSCRIPT.COM

4. WINRM /?

-> .\CSCRIPT.COM is run!


WIMRM.CMD is installed as part of the (optional) "Windows Remote
Management" (see <http://msdn.microsoft.com/library/aa384291.aspx>),
available for Windows XP and 2003 with the hotfixes KB936059 and
KB968929, and included in all later versions of Windows.

"Windows Remote Management" implements the DMTF's Web Services for
Management alias WS-Management alias WS-MAN.


Trivial fix: change "@cscript " in %SystemRoot%\System32\WINRM.CMD
             to "@%SystemRoot%\System32\CSCript.exe "


JFTR: <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
      aint enough!

      ALL executables fed to interfaces which evaluate PATH, i.e.
      CreateProcess(), ShellExecute(), CMD.EXE, ... MUST be specified
      with their fully qualified pathname.


regards
Stefan Kanthak


Timeline:
~~~~~~~~~

2014-01-23    informed vendor

2014-01-23    vendor opens MSRC case 16790

... no more reaction from vendor

2014-06-20    requested status from vendor

2014-06-20    vendor replies:
              "Not a vulnerability.
               All directories on the PATH are protected and need Admin
               privileges to modify. Modifying the PATH also require
               admin privileges."

              OUCH!

2014-06-20    rectified vendors elementary misunderstanding of CMD.EXE's
              PATH handling:

              - CMD.EXE (which interprets WINRM.CMD) searches . (the
                current working directory) FIRST, ALWAYS;

              - PATH (and of course PATHEXT too) can always be modified
                by (unprivileged) users in various ways, both temporary
                and permanent;

              - users have full control over ., PATH and PATHEXT!

... no more reaction from vendor

2014-06-25    report published

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists