lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <36CECE7B9A614B4E976A8124A5F7C9DC@W340>
Date: Wed, 18 Jul 2018 12:28:47 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 56): 10+ year old
	security update installers are susceptiblle to 20+ year old
	vulnerability

Hi @ll,

Microsoft released <https://support.microsoft.com/en-us/help/4336919>
"Description of the security update for the remote code execution
 vulnerability in Visual Studio 2010 Service Pack 1: July 10, 2018"
some days ago.

The executable installer VS10SP1-KB4336919-x86.exe offered for
download from <https://aka.ms/vs/10/release/4336919> alias
<https://download.visualstudio.microsoft.com/download/pr/12715017/faaef3d5a7c96735de75d3843e964a5c/VS10SP1-KB4336919-x86.exe>
is but VULNERABLE!

The headers of this "portable executable" give a hint: the
executable installer (really: a self-extractor) was built
10+ years ago.

| C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS VS10SP1-KB4336919-x86.exe
| Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
| Copyright (C) Microsoft Corporation.  All rights reserved.
|
|
| Dump of file VS10SP1-KB4336919-x86.exe
|
| PE signature found
|
| File Type: EXECUTABLE IMAGE
|
| FILE HEADER VALUES
|             14C machine (x86)
|               3 number of sections
|        476B6AA0 time date stamp Fri Dec 21 08:26:24 2007
                                  ~~~~~~~~~~~~~~~~~~~~~~~~
...
|
| C:\Users\Stefan\Downloads>FILEVER.exe /V VS10SP1-KB4336919-x86.exe
|
| --a-- W32i   APP ENU  10.0.40219.493 shp  7,484,104 07-05-2018 vs10sp1-kb4336919-x86.exe
|        Language        0x0000 (Neutral)
|        CharSet         0x04b0 Unicode
|        OleSelfRegister Disabled
|        CompanyName     Microsoft Corporation
|        FileDescription Self-Extracting Cabinet
|        InternalName    SFXCAB.EXE
|        OriginalFilenam SFXCAB.EXE
|        ProductName     Microsoft Visual Studio 2010
|        ProductVersion  6.3.0015.0
|        FileVersion     6.3.0015.0 built by: dnsrv
|        LegalCopyright  ® Microsoft Corporation. All rights reserved.

JFTR: SFXCAB.exe was introduced with Windows 95 and Windows NT4.
      And of course there are NEWER versions of this tool available
      and still in use at Microsoft: see for example the hotfixes
      for Windows Embedded POSReady 2009.


On the other hand, someone by the name of William Henry Gates wrote
a memo titled "Trustworthy computing" 16+ years ago and sent it to
all full time employees of his "garage band":

| From: Bill Gates
| Sent: Tuesday, January 15, 2002 5:22 PM
| To: Microsoft and Subsidiaries: All FTE
| Subject: Trustworthy computing


1. VS10SP1-KB4336919-x86.exe is susceptible to DLL spoofing, a
   vulnerability known for 20+ years: it loads multiple system DLLs
   from its "application directory", typically the user's "Downloads"
   directory %USERPROFILE%\Downloads\, instead from Windows' "system
   directory" %SystemRoot%\System32\, resulting in arbitrary code
   execution.

   On a fully patched Windows 7 SP1 VS10SP1-KB4336919-x86.exe
   loads AT LEAST the following rogue DLLs:
        CryptDll.dll, CryptSP.dll


   For this well-known and well-documented BEGINNER'S ERROR see
   <https://cwe.mitre.org/data/definitions/426.html> and
   <https://cwe.mitre.org/data/definitions/427.html> plus
   <https://capec.mitre.org/data/definitions/471.html>.

   Additionally Microsofts own guidance
   <https://technet.microsoft.com/en-us/library/2269637.aspx>,
   <https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
   <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
   <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

   Don't forget to recap Steve Sutton's "Windows NT Security Guidelines"
   <http://fy.chalmers.se/~appro/nt/nsaguide.pdf>, or ACROS Security's
   <https://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
   and <https://www.ipa.go.jp/security/english/vuln/20170928_dll_en.html>

   Demonstration/proof of concept:
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   a) follow the instructions from
      <https://skanthak.homepage.t-online.de/minesweeper.html>
      and build a minefield of 32-bit forwarder DLLs in your
      "Downloads" directory;

   b) download the executable installer from
      <https://aka.ms/vs/10/release/4336919>
      and save it in your "Downloads" directory";

   c) execute VS10SP1-KB4336919-x86.exe: notice the message boxes
      displayed from the DLLs built in step a!


2. In standard installations of Windows, where the user account
   created during Windows setup is used, the UNPRIVILEGED alias
   UNELEVATED user (or any program running under this account) can
   place arbitrary rogue DLLs in the "Downloads" directory, for
   example per "drive-by download".

   JFTR: the precondition "user account created during setup" holds
         for the vast majority of all Windows installations.
         As published in Microsofts "security intelligence reports"
         <https://www.microsoft.com/security/sir/>, from 50% to 75%
         of all about 600 million Windows installations which provide
         telemetry data have only one active user account.

   Since the "application manifest" embedded in VS10SP1-KB4336919-x86.exe
   specifies "requireAdministrator", the first vulnerability then
   results in arbitrary code execution WITH escalation of privilege.


Mitigations:
~~~~~~~~~~~~

1. DON'T use executable installers; stay far away from such crap!

2. NEVER run executable installers from UNSAFE directories like
   "%USERPROFILE%\Downloads\" or "%TEMP%\"

3. Exercise STRICT privilege separation: use your privileged
   "Administrator" account (especially the account created during
   Windows setup) only for administrative tasks, and a COMPLETELY
   separate unprivileged "standard user" account for your own tasks.


stay tuned
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ