lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPWzz4zB7QuMsiWCJzZDsX+oooaSF+PVw=mZGYDrj6rHtp9gKA@mail.gmail.com>
Date: Wed, 15 Jan 2020 09:21:50 +0100
From: Imre Rad <radimre83@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] .diagcab directory traversal leading to arbitrary code
	execution

I identified a flaw in the implementation of Microsoft's
Troubleshooter technology that could lead to remote code execution if
a crafted .diagcab file is opened by the victim. The exploit leverages
a rogue webdav server to trick MSDT to drop files to attacker
controller locations on the file system.

If you see the following pattern in any Windows applications, they
might be vulnerable too:

#define MAXPATH 0x104

TCHAR attackerControlledSourcePath[MAXPATH]; // this is the "user input"

TCHAR tempDirectory[MAXPATH];
GetTempPathW(MAXPATH, tempDirectory);

TCHAR allFilesFromAttackerControlledSourcePath[MAXPATH];
StringCchPrintfW(allFilesFromAttackerControlledSourcePath, MAXPATH,
L"%s\\*.*", AttackerControlledSourcePath);
hFind = FindFirstFile(allFilesFromAttackerControlledSourcePath, &FindFileData);

do {
   TCHAR srcFile[MAXPATH];
   TCHAR dstFile[MAXPATH];
   StringCchPrintfW(srcFile, MAXPATH, L"%s\\%s",
attackerControlledSourcePath, FindFileData.cFileName);
   StringCchPrintfW(dstFile, MAXPATH, L"%s\\%s", tempDirectory,
FindFileData.cFileName);

   CopyFileW(srcFile, dstFile, TRUE);

while (FindNextFile(hFind, &FindFileData) != 0);FindClose(hFind);


The thing is, the FindFirstFile/FindNextFile APIs could return file
entries with path separator character in them; I implemented a rogue
webdav server to demonstrate this:

C:\Projects\diagcab>dir \\127.0.0.1@80\DavWWWRoot\package
Volume in drive \\127.0.0.1@80\DavWWWRoot has no label.
Volume Serial Number is 0000-0000
Directory of \\127.0.0.1@80\DavWWWRoot\package
2017. 07. 12.  11:10    <DIR>          .
2017. 07. 12.  11:10    <DIR>          ..
2017. 07. 12.  10:48            27 648
..\..\..\..\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\calc.exe
1 File(s)         27 648 bytes
2 Dir(s) 251 292 504 064 bytes free



Microsoft refused to fix this issue, so it is recommended to stay away
from this file type.

You can find the full write up and the online demo project here:

https://medium.com/@radimre83/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd

And the source files here:

https://www.github.com/irsl/microsoft-diagcab-rce-poc/

Imre

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ