| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <E75F342296F1403D8201FAEC8E1F0C04@W340>
Date: Fri, 26 May 2017 17:51:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 51):
escalation of privilege with Microsoft's Azure Recovery
Services Agent
Hi @ll,
MARSAgentInstaller.exe, the Microsoft Azure Recovery Services Agent,
available via
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>
from
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>
is vulnerable: it allows arbitrary code execution via DLL hijacking,
resulting in escalation of privilege on standard installations of
Windows.
MARSAgentInstaller.exe version 2.0.9072.0, digitally signed 2017-04-05,
loads and executes (tested on a fully patched Windows 7 SP1) at least
the following DLLs from its application directory (typically
"%USERPROFILE%\Downloads\") instead Windows' system directory
"%SystemRoot%\System32\": Version.dll, CryptDll.dll, CryptSP.dll,
UXTheme.dll or DWMAPI.dll, Cabinet.dll
Thanks to the embedded application manifest which specifies
"requireAdministrator" this results in escalation of privilege on
standard installations of Windows!
See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
well-known beginner's error.
See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it as Cabinet.dll in your "Downloads" directory, then
copy it as Version.dll, CryptDLL.dll, CryptSP.dll, UXTheme.dll
and DWMAPI.dll;
2. visit
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>,
download
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>
and save it in your "Downloads" directory;
3. execute MARSAgentInstaller.exe from your "Downloads" directory;
4. notice the message boxes displayed from the DLLs placed in step 1:
PWNED!
Mitigation & detection:
~~~~~~~~~~~~~~~~~~~~~~~
* NEVER run executable installers from your "Downloads" directory;
* dump/avoid executable installers, use *.MSI instead!
* see <https://support.microsoft.com/en-us/kb/2533623>,
<https://technet.microsoft.com/en-us/security/2269637> and
<https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
* also see <https://skanthak.homepage.t-online.de/verifier.html>
and <https://skanthak.homepage.t-online.de/!execute.html>
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-05-18 vulnerability report sent to vendor
2017-05-18 reply from vendor:
"As described in the Windows library search order process,
loading binaries from the application directory is by design."
2017-05-18 OUCH!
The "application directory" can be removed from the library
search path since Windows Vista and KB2533623!
See <https://msdn.microsoft.com/en-us/library/hh310515.aspx>
2017-05-26 no reply from vendor since 7 days, report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists