| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <B57F4B004EED4A3B847DAD1E4FF605EE@W340>
Date: Sun, 2 Sep 2018 00:10:17 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 57): installation
of security updates fails on Windows Embedded POSReady 2009
Hi @ll,
on a multitude of machines running Windows Embedded POSReady 2009,
"automatic updates" show the well-known and never resolved bug which
lets the Windows Update Agent occupy one core (good luck if your CPU
has some of them and can afford to sacrifice one.-) for DAYS at 100%
load!
This nasty behaviour is documented for example in the MSKB articles
<https://support.microsoft.com/en-us/help/3102810> and
<https://support.microsoft.com/en-us/help/3102812>.
This bug has a rather LOOONG tradition; see for example
<https://blogs.technet.microsoft.com/asiasupp/2007/05/29/automatic-update-causes-svchost-exe-high-cpu/>.
But this bug is NOT subject of this post -- the story only starts
there...
Since I've dealt with this bug quite some times in the past decade
I know how to overcome it (see for example
<https://skanthak.homepage.t-online.de/slipstream.html>):
1. manually fetch the latest cumulative update for Internet Explorer,
2. install it,
3. then reboot and let "automatic updates" perform their duty again.
Step 1 was simple:
1.a) start the web browser and enter the URL
<https://www.catalog.update.microsoft.com/Search.aspx?q=posready+2009>,
1.b) sort the updates by date,
1.c) find the latest cumulative update for IE,
1.d) then download the executable installer offered for your language.
This left me with the file
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
in my "Downloads" folder "C:\Dokumente und Einstellungen\Administrator\Downloads"
Since ALL downloads in the "Microsoft Update Catalog" are offered over
INSECURE HTTP: (see <http://seclists.org/fulldisclosure/2018/Feb/43>)
I checked the integrity of the downloaded executable:
C:\Dokumente und Einstellungen\Administrator\Downloads>CertUtil.exe /V /HashFile
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
SHA-1-Hash der Datei ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe:
fd 52 c3 ee 74 9c 7d 21 e0 c8 da 6d 9a cb 20 36 07 e2 5d a4
CertUtil: -hashfile-Befehl wurde erfolgreich ausgeführt.
Good, the SHA1 hash matches the filename (this was shown over the
secure HTTPS: connection to the Microsoft Update Catalog itself).
Right-click->Properties:"Digital signatures", then double-click on
the signature also yields "valid".
Good, lets proceed with step 2: install the downloaded update.
2.a) a double-click on
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
presented TWO error message boxes with the following text:
| ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe - Auslagerungsdatei konnte nicht erstellt
werden
|
| (X) Exception Processing Message c0000145 Parameters c0000005 75b0bf7c 75b0bf7c 75b0bf7c
|
| [ OK ]
OUCH!
JFTR: you'll see this GIBBERISH on ALL NON-english editions of
Windows Embedded POSReady 2009 (and Windows XP too)!
For the description and demonstration of this bug in NTDLL.dll,
start reading <https://skanthak.homepage.t-online.de/fubar.html>
Since I know this bug in NTDLL.dll since quite some time, I know
that the "correct" error message box should have been
| ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe - Fehler in Anwendung
|
| (X) Die Anwendung konnte nicht richtig initialisiert werden (0xc0000005).
| Klicken Sie auf "OK", um die Anwendung zu beenden.
|
| [ OK ]
2.b) on english editions of Windows Embedded POSReady 2009, execution of
ie8-windowsxp-kb4343205-x86-embedded-enu_5cc2246031bd0a949785f6f1799610bff163224b.exe
yields the error message box
| ie8-windowsxp-kb4343205-x86-embedded-enu_5cc2246031bd0a949785f6f1799610bff163224b.exe - Application Error
|
| (X) The application failed to initialize properly (0xc0000005).
| Click OK to terminate the application.
|
| [ OK ]
That's an "access violation" during process initialisation.
2.c) Let's run the application under the debugger:
C:\Dokumente und Einstellungen\Administrator\Downloads>NTSD.exe
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe
Microsoft (R) Windows User-Mode Debugger Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Dokumente und
Einstellungen\Administrator\Downloads\ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe"
Loaded dbghelp extension DLL
Loaded exts extension DLL
Loaded ntsdexts extension DLL
Symbol search path is: SymSrv*SYMSRV.DLL*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols/Executable search path is:
ModLoad: 01000000 01020000 sfxcab.exe
ModLoad: 7c910000 7c9ca000 ntdll.dll
ModLoad: 7c800000 7c909000 C:\WINDOWS\System32\kernel32.dll
ModLoad: 77be0000 77c38000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 77da0000 77e4a000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 77e50000 77ee3000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:\WINDOWS\System32\Secur32.dll
ModLoad: 7e360000 7e3f1000 C:\WINDOWS\System32\USER32.dll
ModLoad: 77ef0000 77f3a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 5d450000 5d4ea000 C:\WINDOWS\System32\COMCTL32.dll
ModLoad: 7e670000 7ee92000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 77f40000 77fb7000 C:\WINDOWS\System32\SHLWAPI.dll
Break instruction exception - code 80000003 (first chance)
eax=00181eb4 ebx=7ffd9000 ecx=00000007 edx=00000080 esi=00181f48 edi=00181eb4
eip=7c91120e esp=0006fb20 ebp=0006fc94 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc int 3
0:000> g
HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]:
Heap block at 0008AC58 modified at 0008AE08 past requested size of 1a8
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break instruction exception - code 80000003 (first chance)
eax=0008ac58 ebx=0008ae08 ecx=7c92f927 edx=0006e182 esi=0008ac58 edi=000001a8
eip=7c91120e esp=0006e384 ebp=0006e388 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc int 3
0:000> g
HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]:
Invalid Address specified to RtlFreeHeap( 00080000, 0008AC60 )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break instruction exception - code 80000003 (first chance)
eax=0008ac58 ebx=0008ac58 ecx=7c92f927 edx=0006e192 esi=00080000 edi=0008ac58
eip=7c91120e esp=0006e39c ebp=0006e3a0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc int 3
0:000> g
Access violation - code c0000005 (first chance)
eax=0008ae20 ebx=007d0032 ecx=00080210 edx=00000000 esi=0008ae18 edi=00300033
eip=7c92afa0 esp=0006e0f0 ebp=0006e30c iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
ntdll!RtlAcquireResourceExclusive+5e1:
7c92afa0 8b0b mov ecx,[ebx] ds:0023:007d0032=????????
0:000> gn
HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]:
Heap missing last entry in committed range near 8ae18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break instruction exception - code 80000003 (first chance)
eax=0008ae18 ebx=00080640 ecx=7c92f927 edx=0006e559 esi=00080588 edi=0008b148
eip=7c91120e esp=0006e764 ebp=0006e768 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc int 3
0:000> gn
Access violation - code c0000005 (first chance)
eax=0008ae20 ebx=007d0032 ecx=000801b0 edx=00000000 esi=0008ae18 edi=00300033
eip=7c92afa0 esp=0006eb64 ebp=0006ed80 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
ntdll!RtlAcquireResourceExclusive+5e1:
7c92afa0 8b0b mov ecx,[ebx] ds:0023:007d0032=????????
0:000> gn
Access violation - code c0000005 (first chance)
eax=00000010 ebx=7ffdf000 ecx=00000100 edx=00000190 esi=77f350e0 edi=01900010
eip=77ef64f1 esp=0006f2f8 ebp=0006f300 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
GDI32!GdiValidateHandle+75:
77ef64f1 38410a cmp [ecx+0xa],al ds:0023:0000010a=??
0:000> gn
Access violation - code c0000005 (first chance)
eax=0006fc54 ebx=00000000 ecx=0006fca8 edx=7c91e514 esi=c0000005 edi=00000000
eip=7c977a96 esp=0006fc54 ebp=0006fca4 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlRaiseStatus+26:
7c977a96 c9 leave
0:000> q
NICE! That looks like a buffer overrun on the heap, and the corrupted
data then yields the "access violation".
2.d) Let's see if I can cure it:
C:\Documents and Settings\Administrator\Downloads>RENAME
ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe ie8-windowsxp-kb4343205-x86-embedded-deu.exe
C:\Documents and Settings\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe
The buffer overrun is gone, the update installs!
If only someone had told the wise guys at Microsoft that MAX_PATH is
260 characters, and that buffers have to be checked for overruns!
What happened to the "trustworthy computing" initiative?
2.e) But WAIT, it's not over yet:
C:\Dokumente und Einstellungen\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe /X
The /X option extracts the payload into an arbitrary directory; the
default is the current directory, i.e.
"C:\Dokumente und Einstellungen\Administrator\Downloads"
This yields the error message box
| Dekomprimierung fehlgeschlagen
|
| (X) Datei ist beschädigt
|
| [ OK ]
WTF? The file is supposed to be corrupt?
It but installed successful, its checksums are correct!
JFTR: without the /X option, the executable self-extractor SFXCAB
creates a directory with a random, up to 32 characters "short"
name in the root directory of the drive with the most free space.
2.f) Let's see whether this error can be cured too by using a shorter path:
C:\Dokumente und Einstellungen\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe /X C:\Windows\Temp
SUCCESS!
| Dekomprimierung abgeschlossen
| ^
| /!\ Dekomprimierung abgeschlossen
| ¯¯¯
| [ OK ]
C:\Dokumente und Einstellungen\Administrator\Downloads>dir C:\Windows\Temp
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 8CDE-6034
Verzeichnis von C:\Windows\Temp
01.09.2018 23:18 <DIR> .
01.09.2018 23:18 <DIR> ..
01.09.2018 23:18 <DIR> SP3QFE
01.09.2018 23:18 <DIR> update
01.02.2018 23:28 18.808 spmsg.dll
01.02.2018 23:28 234.872 spuninst.exe
2 Datei(en) 253.680 Bytes
4 Verzeichnis(se), 8.396.988.416 Bytes frei
stay tuned
Stefan Kanthak
PS: for the other bugs and vulnerabilities in Microsoft's SFXCAB
see <http://seclists.org/fulldisclosure/2016/Jan/48> and/or
<http://seclists.org/fulldisclosure/2018/Jul/72>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists