lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <711B53FD9B4C4105933BDD8B63C41556@W340>
Date: Tue, 15 Mar 2016 20:05:58 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 39):
	vulnerabilities, please meet the bar for security servicing

Hi @ll,

this multipart post does not require a MIME-compliant MUA.-)

Part 0:
~~~~~~~

On Windows 7 (other versions of Windows not tested for this
vulnerability, but are likely vulnerable too) all executable
installers/self-extractors based on Microsoft's SFXCAB [*]
load and execute a rogue CryptDll.dll from their application
directory instead of %SystemRoot%\System32\CryptDll.dll.


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior
art" about this well-known and well-documented vulnerability;
also see <https://cwe.mitre.org/data/definitions/426.html>
and <https://cwe.mitre.org/data/definitions/427.html>
plus <https://capec.mitre.org/data/definitions/471.html>

If an attacker places CryptDll.dll in the user's "Downloads"
directory (for example per "drive-by download" or "social
engineering") this vulnerability becomes a remote code execution.

The application manifest embedded in many/most of these
executables specifies "requireAdministrator", so execution of
CryptDll.dll results in an escalation of privilege then!


Proof of concept/demonstration:

1. Download <http://home.arcor.de/skanthak/download/CRYPTDLL.DLL>
   and save it in your "Downloads" directory;

2. Download an arbitrary executable installer/self-extractor based
   on SFXCAB [*] from the Microsoft Download Center and save it in
   your "Downloads" directory, for example:

   2.a MSEInstall.exe via
       <https://www.microsoft.com/en-us/download/details.aspx?id=5201>

   2.b mssstool32.exe via
       <http://go.microsoft.com/fwlink/?LinkID=234123>

   2.c ImagePackage32.exe via
       <http://go.microsoft.com/fwlink/?LinkID=267537> or
       <http://go.microsoft.com/fwlink/?LinkID=232568>

   2.d VCRedist_x86.exe via
       <https://www.microsoft.com/en-us/download/details.aspx?id=40784>
       <https://www.microsoft.com/en-us/download/details.aspx?id=30679>
       <https://www.microsoft.com/en-us/download/details.aspx?id=8328>
       <https://www.microsoft.com/en-us/download/details.aspx?id=5555>
       ...

   2.e VC-Compiler-KB2519277.exe via
       <http://www.microsoft.com/en-us/download/details.aspx?id=4422>

   (several hundred to thousand vulnerable installers omitted ...)

   2.zzz
       Silverlight.exe via
       <http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx>

3. Run any executable installer/self-extractor based on SFXCAB from
   your "Downloads" directory;

4. Notice the message boxes displayed from CryptDll.dll downloaded
   in step 1: PWNED!


Response from Microsoft's Security Response Center:

| Upon investigation this application directory binary planting
| issue does not meet the bar for security servicing.


See but CVE-2016-0014 alias MS16-007, CVE-2014-0315 alias MS14-019,
CVE-2015-8264, CVE-2016-1281, CVE-2016-0603, CVE-2016-0602 and many
more fixed vulnerabilities of exactly this kind!


Part 1: MSRC case 31723
~~~~~~~~~~~~~~~~~~~~~~~

On all supported versions of Windows the AntiMalware Definition
Updaters MPAM-D.exe and MPAM-FE[x64].exe
(see <https://support.microsoft.com/en-us/kb/935934>,
<https://technet.microsoft.com/en-us/library/gg398041.aspx> and
<https://www.microsoft.com/security/portal/definitions/adl.aspx>)
load and execute a rogue Cabinet.dll from their application
directory instead of %SystemRoot%\System32\Cabinet.dll


Proof of concept/demonstration:

1. Download <http://home.arcor.de/skanthak/download/CABINET.DLL>
   and save it in your "Downloads" directory;

2. download MPAM-D.exe or MPAM-FE.exe and save it in your
   "Downloads" directory;

3. Run MPAM-D.exe or MPAM-FE.exe;

4. Notice the message boxes displayed from Cabinet.dll downloaded
   in step 1: PWNED!


Response from Microsoft's Security Response Center:

| Since this requires a user to run executables or installers from
| an untrusted location it does not meet the bar for servicing via
| bulletin.


Apparently the MSRC never read the instructions given on
<https://www.microsoft.com/security/portal/definitions/adl.aspx>

| Antimalware and antispyware updates
...
| To download these updates:
| 1. Check whether your version of Windows is 32-bit or 64-bit.
| 2. In the table below, right-click on the link that will work
|    for your version of Windows and choose Save target as... or
|    Save link as...
| 3. Save the file to your Desktop.
| 4. When the file has finished downloading, go to your Desktop
|    and double-click the file (it will be called mpam-fe.exe,
|    mpas-fe.exe, or mpam-feX64.exe).
| 5. Follow the prompts to install the update.

and considers the "Desktop" an trusted location, despite
<https://support.microsoft.com/en-us/kb/959426> alias
<https://technet.microsoft.com/en-us/library/ms09-014.aspx> plus
<https://blogs.technet.com/b/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx>,
<https://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx>
and 
<https://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx>


Part 2: MSRC case 32352
~~~~~~~~~~~~~~~~~~~~~~~

On Windows 7 (other versions of Windows not tested for this
vulnerability, but are likely vulnerable too) LoadLibrary("URL.dll")
as well as LoadLibrary("C:\Windows\System32\URL.dll) load and execute
a rogue OLEAcc.dll from the application directory of the calling
program instead of %SystemRoot%\System32\OLEAcc.dll.


Proof of concept/demonstration:

Adapt the PoC from part 3.

JFTR: URL.dll is a load-time dependency of quite some other DLLs
      and programs!


Part 3: MSRC case 32432
~~~~~~~~~~~~~~~~~~~~~~~

On Windows XP and its still (til April 2019) serviced cousin
Windows Embedded POSReady 2009 LoadLibrary("CryptUI.dll") as
well as LoadLibrary("C:\Windows\System32\CryptUI.dll") load
a rogue RichEd20.dll from the application directory of the
calling program instead of %SystemRoot%\System32\RichEd20.dll


Proof of concept/demonstration:

1. Compile and link the following program as CryptUI.exe:

    #include <windows.h>

    void WinMainCRTStartup(void)
    {
        HMODULE hModule = INVALID_HANDLE_VALUE;
        if ((hModule = LoadLibrary("CryptUI.dll")) == NULL)
            ExitProcess(GetLastError());
        if (!FreeLibrary(hModule))
            ExitProcess(GetLastError());
        ExitProcess(0L);
    }

   or download the compiled program from
   <http://home.arcor.de/skanthak/temp/CRYPTUI.EXE>, then save
   it in your "Downloads" directory;

2. Download <http://home.arcor.de/skanthak/download/RICHED20.DLL>
   and save it in your "Downloads" directory;

3. Run CryptUI.exe;

4. Notice the message boxes displayed from RichEd20.dll downloaded
   in step 2: PWNED!

JFTR: CryptUI.dll is a dependency of quite some other DLLs, for
      example ShDocVw.dll and URL.dll.


Response from Microsoft's Security Response Center:

| This is an application directory behavior and it does not
| currently meet the bar for a security servicing update.


Of course Microsoft's own documentation advises how to avoid
these bloody beginner's errors: see
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library
    ~~~~~~
|   location is constant.


Part 4: MSRC case 32250
~~~~~~~~~~~~~~~~~~~~~~~

On Windows 7, Windows XP and its still (til April 2019) serviced
cousin Windows Embedded POSReady 2009 (other versions of Windows
not tested for this vulnerability, but are likely vulnerable too)
ShellExecuteEx() and ShellExecute() load and execute several DLLs
from the application directory of the calling program instead the
system directory %SystemRoot%\System32\


Proof of concept/demonstration:

1. Compile and link the following program as ShlExecX.exe:

    #include <windows.h>
    #include <shellapi.h>
    #include <objbase.h>

    void WinMainCRTStartup(void)
    {
        HRESULT hr = S_OK;
        DWORD dwError = ERROR_SUCCESS;
        SHELLEXECUTEINFO sei = {sizeof(sei)};
        if ((hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED
                                     | COINIT_DISABLE_OLE1DDE)) != S_OK)
            dwError = hr;
        else
        {
            sei.fMask = SEE_MASK_FLAG_DDEWAIT;
            sei.nShow = SW_SHOWNORMAL;
            sei.lpFile = ".";        // try "*" or other names too!
            sei.lpVerb = NULL;
            if (!ShellExecuteEx(&sei))
                dwError = GetLastError();
        }
        CoUninitialize();
        ExitProcess(dwError);
    }

   or download the compiled program from
   <http://home.arcor.de/skanthak/temp/SHLEXECX.EXE>
   and save it in your "Downloads" directory;

   An alternative version which calls ShellExecute() instead of
   ShellExecuteEx() is available as
   <http://home.arcor.de/skanthak/temp/SHLEXEC.EXE>

2. Download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and save it as DWMAPI.dll in your "Downloads" directory,
   then copy it as SetupAPI.dll, COMRes.dll and ClbCatQ.dll;

3. Download <http://home.arcor.de/skanthak/download/WTSAPI32.DLL>,
   <http://home.arcor.de/skanthak/download/UXTHEME.DLL>,
   <http://home.arcor.de/skanthak/download/RICHED20.DLL> and
   save them in your "Downloads" directory;

4. Run ShlExecX.exe or ShlExec.exe;

5. Notice the message boxes displayed from the DLLs downloaded
   in steps 2 and 3: PWNED!


No response from Microsoft's Security Response Center since 10 weeks!
No answer to a status request since 10 days.


stay tuned
Stefan Kanthak


[*] executable installers/self-extractor based on SFXCAB.EXE may
    be identified via their embedded manifest (resource type 24,
    resource id 1):

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="sfxcab.exe" type="win32">
                                                                  ~~~~~~~~~~~~~~~~~
  </assemblyIdentity>
  <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
      <ms_asmv2:security>
         <ms_asmv2:requestedPrivileges>
            <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false">
            </ms_asmv2:requestedExecutionLevel>
         </ms_asmv2:requestedPrivileges>
      </ms_asmv2:security>
   </ms_asmv2:trustInfo>
</assembly>

    or

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="6.3.18.0" processorArchitecture="X86" name="sfxcab" type="win32">
                                                                   ~~~~~~~~~~~~~
  </assemblyIdentity>
  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
    </application>
  </compatibility>
  <description>setup</description>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false">
        </requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ