[<prev] [next>] [day] [month] [year] [list]
Message-ID: <532062A079E542C7B19E02E2C68B8762@W340>
Date: Thu, 11 Aug 2016 20:15:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 42): Sysinternals
utilities load and execute rogue DLLs from %TEMP%
Hi @ll,
several of Microsoft's Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in "protected
administrator" accounts [*].
* CoreInfo.exe:
extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
%TEMP%\VERSION.DLL (on Windows Vista and newer)
and executes it with the callers credentials.
* Disk2VHD.exe:
extracts on Windows 2003 and newer, both x86 and x64, an embedded
Disk2VHD-tmp.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes it with administrative privileges on Windows Vista
and newer, and with the callers credentials on Windows 2003.
* DiskView.exe:
extracts on x64 an embedded DiskView64.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL
and executes it with administrative privileges on Windows Vista
and newer, and with the callers credentials on Windows 2003 and
Windows XP.
* ProcMon.exe:
extracts on x64 an embedded ProcMon64.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes it with the callers credentials.
* RAMMap.exe:
extracts on x64 an embedded RAMMap64.exe to %TEMP% which loads
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes them with administrative privileges on Windows Vista
and newer, and with the callers credentials on Windows 2003.
* VMMap.exe:
extracts on x64 an embedded VMMap64.exe to %TEMP% which loads
%TEMP%\CLBCATQ.DLL (on Windows 2003),
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes them with the callers credentials.
* ZoomIt.exe:
extracts on x64 an embedded ZoomIt64.exe to %TEMP% which loads
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer)
and executes them with the callers credentials.
See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://cwe.mitre.org/data/definitions/277.html>,
<https://cwe.mitre.org/data/definitions/379.html> and
<https://cwe.mitre.org/data/definitions/732.html> for these
WELL-KNOWN and WELL-DOCUMENTED vulnerabilities^Wbeginner's
errors!
Mitigations:
~~~~~~~~~~~~
* Don't use these vulnerable utilities (or other crapware
which runs executables from unsafe directories like %TEMP%)!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
[*] according to Microsoft's own SIR reports, more than half of
the Windows installations which send telemetry data have only
one active user account, i.e. some hundred million Windows
installations are susceptible to this design bug!
Timeline:
~~~~~~~~~
2015-11-02 vulnerability report sent to author and vendor
NO REPLY from author
2015-11-17 vendor replies, opens MSRC case 31724
2016-01-29 vendor replies, closes MSRC case 31724: WONTFIX
2016-08-11 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists