| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1117E3F0748148CAB8D48BC85FCD9234@H270>
Date: Fri, 2 Apr 2021 23:06:07 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- The Microsoft way (part 74): Windows
Defender SmartScreen is rather DUMP, it allows denial of service
Hi @ll,
the following is a shortened version of
<https://skanthak.homepage.t-online.de/offender.html#case64021>
With Windows 8, Microsoft introduced Windows Defender SmartScreen as
replacement for the Attachment Manager introduced with Windows XP SP2
(the first release of Windows after they started Trustworthy Computing).
The Attachment Manager adds an Alternate Data Stream named Zone.Identifier
to files downloaded from the Internet or other computers, attachments
stored by mail clients etc. as so-called "Mark of the Web" to indicate
their (untrusted) origin.
With SmartScreen, the "Mark of the Web" allows to perform a denial of
service.
Demonstration:
~~~~~~~~~~~~~~
1. Compile and link the following minimal Win32 program:
--- dummy.c ---
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
__declspec(noreturn)
VOID WINAPI wWinMainCRTStartup(VOID)
{
ExitProcess(MessageBox(HWND_DESKTOP, L"Hello World!", L"Dummy", MB_OK));
}
--- EOF ---
CL.exe /Zl /W4 /GAFy /c dummy.c
LINK.exe /Link /Entry:wWinMainCRTStartup /NoDefaultLib /Release /SubSystem:Windows dummy.obj kernel32.lib user32.lib
2. Execute dummy.exe per double-click: it displays a message box titled
"Dummy" with message text "Hello World!"
3. Add a "Mark of the Web" specifying the Internet zone to dummy.exe:
execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question
whether you want to create a new file with [Yes], type the 2 lines
between --- ... ---, close the editor and save the changes:
--- dummy.exe:Zone.Identifier ---
[ZoneTransfer]
ZoneId=3
--- EOF ---
4. Execute dummy.exe per double-click: Windows Defender SmartScreen
displays a warning message titled "Windows protected your PC"
with message text "Windows Defender SmartScreen prevented an
unrecognized app from starting, Running this app might put your
PC at risk. [...]"
After clicking the button [Run anyway] the program executes and
displays its message box.
5. Add a "Mark of the Web" specifying a custom zone to dummy.exe:
execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question
whether you want to create a new file with [Yes], type the 2 lines
between --- ... ---, close the editor and save the changes:
--- dummy.exe:Zone.Identifier ---
[ZoneTransfer]
ZoneId=1000
--- EOF ---
6. Exexute dummy.exe per double-click: NO REACTION!
The Common Weaknesses and Exposures classifies such misbehavior,
which here results in a denial of service, as
- CWE-20: Improper Input Validation
<https://cwe.mitre.org/data/definitions/20.html>
- CWE-1284: Improper Validation of Specified Quantity in Input
<https://cwe.mitre.org/data/definitions/1284.html>
- CWE-1286: Improper Validation of Syntactic Correctness of Input
<https://cwe.mitre.org/data/definitions/1286.html>
- CWE-1287: Improper Validation of Specified Type of Input
<https://cwe.mitre.org/data/definitions/1287.html>
The Common Attack Pattern Enumeration and Classification lists it as
- <https://capec.mitre.org/data/definitions/210.html>
CAPEC-210: Abuse Existing Functionality
stay tuned, and far away from such disfunctional crap
Stefan Kanthak
JFTR: before/without SmartScreen, the Attachment Manager discards
a "Mark of the Web" with unsupported zones, i.e. ZoneId > 4
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists