lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 5 Dec 2015 14:36:23 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>,
	<bugtraq@...urityfocus.com>
Cc: pctech@...ltek.com, contact_us@...ltek.com, alan_wang@...r.com
Subject: [FD] Defense in depth -- the Microsoft way (part 37): MMC.exe and
	DrvInst.exe load and execute ".dll" with elevated resp.
	SYSTEM privileges

Hi @ll,

on Windows 7 (I did not check other versions of Windows, but I'm
confident that the underlying bug is present in Windows Vista,
Windows Server 2008 [R2], Windows 8[.1] and Windows Server 2012 [R2],
i.e. all versions of Windows NT6.x too) the system utilities MMC.exe
and DrvInst.exe load and execute a DLL named ".dll", resulting in
escalation of privilege.

Since no system DLL by the name ".dll" exists it is loaded via the DLL
search path (see <https://msdn.microsoft.com/en-us/library/ms682586.aspx>)


Proof of concept for MMC.exe:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   (see <http://home.arcor.de/skanthak/sentinel.html> for details)
   and save it as .DLL ['] in an arbitrary directory of your choice;

2. add this directory to the user's (not the system's) PATH [²];

3. download the current Realtek PCIexpress ethernet NIC driver from
   <http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0012-Install_Win7_7097_11232015.zip>
   (via <http://www.realtek.com/downloads/>);

4. open the downloaded 0012-Install_Win7_7097_11232015.zip and
   extract the contents of the "directory"
      Install_Win7_7097_11232015\WIN7\32
   from the .ZIP to an(other) arbitrary directory of your choice;

5. start device manager (i.e. MMC.exe DevMgmt.msc) [³] and install
   the Realtek ethernet NIC driver from the directory choosen in
   step 4;

6. sse the message box displayed from DllMain() of the loaded .DLL [']


Proof of concept for DrvInst.exe:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   (see <http://home.arcor.de/skanthak/sentinel.html> for details)
   and save it as .DLL ['] in an arbitrary directory of your choice;

2a. add this directory to the system's PATH
    (yes, this requires administrative privileges [³]);

    OR

2b. run the following 2 commands to "copy" the downloaded .DLL to
    %SystemRoot%\System32:

    MakeCab.exe .DLL "%TEMP%\dummy.cab"
    WUSA.exe "%TEMP%\dummy.cab" /Extract:%SystemRoot%\System32

    (yes, this requires administrative privileges [³]);

3. download the Realtek card reader driver from
   <http://global-download.acer.com/GDFiles/Driver/CardReader/CardReader_Realtek_6.3.9600.21257_W7x64_A.zip>
   (via <http://support.acer.com/downloads/>)

4. open the downloaded CardReader_Realtek_6.3.9600.21257_W7x64_A.zip
   and extract the contents of the "directory"
      CardReader_Realtek_6.3.9600.21257_W7x64\DrvBin32
   from the .ZIP to an(other) arbitrary directory of your choice;

5. start device manager (i.e. MMC.exe DevMgmt.msc) [²] and install
   the Realtek card reader driver from the directory choosen in
   step 4;

6. start event viewer (i.e. MMC.exe EventVwr.msc) [²] and find the
   event log entry from source "Vulnerability and Exploit Detector"
   generated from DllMain() of the loaded .DLL ['] (DrvInst.exe
   runs in the non-interactive "session 0", so SENTINEL.DLL doesn't
   display a message box and writes an event log entry only).


stay tuned
Stefan Kanthak


['] yes, that's a valid Win32 filename; a DLL named ".dll" is loaded
    via the following (obviously erroneous) calls of Win32 API
    functions:
    * LoadLibraryA(""),
    * LoadLibraryA(L"<arbitrary UNICODE string>"),
    * LoadLibraryW(L""),
    * LoadLibraryExA("", ...),
    * LoadLibraryExA(L"<arbitrary UNICODE string>", ...),
    * LoadLibraryExW(L"", ...)

    The most probable cause is feeding of a UNICODE string to the
    ANSI functions.

    This bug may be triggered via other execution paths in MMC.exe,
    via installation of other drivers or via other .MSC too!

PS: %SystemRoot%\System32\WBEM\WMIPrvSE.exe and SysInternals VMMap.exe
    show this bug too!

[²] of course the system's PATH may be used instead, or the method
    shown in step 2b. for the DrvInst.exe exploit.

[³] in Windows' default configuration this does NOT trigger the user
    account control!


Timeline:
~~~~~~~~~

2015-12-04    vulnerability reports sent to MSRC

2015-12-04    response from MSRC regarding DrvInst.exe:
              "unauthenticated users can't change path" and
              "for WUSA.exe to work you require the system to be configured
               by the user in a non-default manner"

2015-12-04    OUCH! sent to MSRC:

              WUSA.exe <.CAB archive> /Extract:<destination directory>

              works in DEFAULT configuration of Windows 7, Windows Server
              2008 R2, Windows 8[.1] and Windows Server 2012 [R2]

2015-12-04    response from MSRC regarding MMC.exe:
              "unauthenticated users can't change path"

2015-12-05    OUCH! sent to MSRC:
              users can change their own PATH, and user's PATH is
              appended to the system's PATH

2015-12-05    response from MSRC:
              this does not meet the bar for security servicing.

2015-12-05    report published


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists