lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 2 Apr 2021 23:06:07 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- The Microsoft way (part 74): Windows
	Defender SmartScreen is rather DUMP, it allows denial of service

Hi @ll,

the following is a shortened version of
<https://skanthak.homepage.t-online.de/offender.html#case64021>

With Windows 8, Microsoft introduced Windows Defender SmartScreen as
replacement for the Attachment Manager introduced with Windows XP SP2
(the first release of Windows after they started Trustworthy Computing).

The Attachment Manager adds an Alternate Data Stream named Zone.Identifier
to files downloaded from the Internet or other computers, attachments
stored by mail clients etc. as so-called "Mark of the Web" to indicate
their (untrusted) origin.

With SmartScreen, the "Mark of the Web" allows to perform a denial of
service.

Demonstration:
~~~~~~~~~~~~~~

1. Compile and link the following minimal Win32 program:

--- dummy.c ---
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

__declspec(noreturn)
VOID WINAPI wWinMainCRTStartup(VOID)
{
   ExitProcess(MessageBox(HWND_DESKTOP, L"Hello World!", L"Dummy", MB_OK));
}
--- EOF ---

   CL.exe /Zl /W4 /GAFy /c dummy.c
   LINK.exe /Link /Entry:wWinMainCRTStartup /NoDefaultLib /Release /SubSystem:Windows dummy.obj kernel32.lib user32.lib

2. Execute dummy.exe per double-click: it displays a message box titled
   "Dummy" with message text "Hello World!"

3. Add a "Mark of the Web" specifying the Internet zone to dummy.exe:
   execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question
   whether you want to create a new file with [Yes], type the 2 lines
   between --- ... ---, close the editor and save the changes:

--- dummy.exe:Zone.Identifier ---
[ZoneTransfer]
ZoneId=3
--- EOF ---

4. Execute dummy.exe per double-click: Windows Defender SmartScreen
   displays a warning message titled "Windows protected your PC"
   with message text "Windows Defender SmartScreen prevented an
   unrecognized app from starting, Running this app might put your
   PC at risk. [...]"

   After clicking the button [Run anyway] the program executes and
   displays its message box.

5. Add a "Mark of the Web" specifying a custom zone to dummy.exe:
   execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question
   whether you want to create a new file with [Yes], type the 2 lines
   between --- ... ---, close the editor and save the changes:

--- dummy.exe:Zone.Identifier ---
[ZoneTransfer]
ZoneId=1000
--- EOF ---

6. Exexute dummy.exe per double-click: NO REACTION!

The Common Weaknesses and Exposures classifies such misbehavior,
which here results in a denial of service, as
- CWE-20: Improper Input Validation
  <https://cwe.mitre.org/data/definitions/20.html>
- CWE-1284: Improper Validation of Specified Quantity in Input
  <https://cwe.mitre.org/data/definitions/1284.html>
- CWE-1286: Improper Validation of Syntactic Correctness of Input
  <https://cwe.mitre.org/data/definitions/1286.html>
- CWE-1287: Improper Validation of Specified Type of Input
  <https://cwe.mitre.org/data/definitions/1287.html>

The Common Attack Pattern Enumeration and Classification lists it as
- <https://capec.mitre.org/data/definitions/210.html>
  CAPEC-210: Abuse Existing Functionality

stay tuned, and far away from such disfunctional crap
Stefan Kanthak

JFTR: before/without SmartScreen, the Attachment Manager discards
      a "Mark of the Web" with unsupported zones, i.e. ZoneId > 4

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists