lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <532062A079E542C7B19E02E2C68B8762@W340>
Date: Thu, 11 Aug 2016 20:15:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 42): Sysinternals
	utilities load and execute rogue DLLs from %TEMP%

Hi @ll,

several of Microsoft's Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in "protected
administrator" accounts [*].

* CoreInfo.exe:
  extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
    %TEMP%\VERSION.DLL (on Windows Vista and newer)
  and executes it with the callers credentials.

* Disk2VHD.exe:
  extracts on Windows 2003 and newer, both x86 and x64, an embedded
  Disk2VHD-tmp.exe to %TEMP% which loads
    %TEMP%\UXTHEME.DLL
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes it with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003.

* DiskView.exe:
  extracts on x64 an embedded DiskView64.exe to %TEMP% which loads
    %TEMP%\UXTHEME.DLL
  and executes it with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003 and
  Windows XP.

* ProcMon.exe:
  extracts on x64 an embedded ProcMon64.exe to %TEMP% which loads
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes it with the callers credentials.

* RAMMap.exe:
  extracts on x64 an embedded RAMMap64.exe to %TEMP% which loads
    %TEMP%\SETUPAPI.DLL (on Windows 2003),
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes them with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003.

* VMMap.exe:
  extracts on x64 an embedded VMMap64.exe to %TEMP% which loads
    %TEMP%\CLBCATQ.DLL (on Windows 2003),
    %TEMP%\SETUPAPI.DLL (on Windows 2003),
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes them with the callers credentials.

* ZoomIt.exe:
  extracts on x64 an embedded ZoomIt64.exe to %TEMP% which loads
    %TEMP%\SETUPAPI.DLL (on Windows 2003),
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer)
  and executes them with the callers credentials.


See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://cwe.mitre.org/data/definitions/277.html>,
<https://cwe.mitre.org/data/definitions/379.html> and
<https://cwe.mitre.org/data/definitions/732.html> for these
WELL-KNOWN and WELL-DOCUMENTED vulnerabilities^Wbeginner's
errors!


Mitigations:
~~~~~~~~~~~~

* Don't use these vulnerable utilities (or other crapware
  which runs executables from unsafe directories like %TEMP%)!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
  <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak

[*] according to Microsoft's own SIR reports, more than half of
    the Windows installations which send telemetry data have only
    one active user account, i.e. some hundred million Windows
    installations are susceptible to this design bug!


Timeline:
~~~~~~~~~

2015-11-02    vulnerability report sent to author and vendor

              NO REPLY from author

2015-11-17    vendor replies, opens MSRC case 31724

2016-01-29    vendor replies, closes MSRC case 31724: WONTFIX

2016-08-11    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ