lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 14 Oct 2021 20:47:54 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 79): Local
	Privilege Escalation via Windows 11 Installation Assistant

Hi @ll,

<https://www.microsoft.com/en-us/software-download/windows11>
offers the "Windows 11 Installation Assistant" to unsuspecting users.

The link <https://go.microsoft.com/fwlink/?linkid=2171764>
underneath the first [Download Now] button forwards to
<https://download.microsoft.com/download/3/a/9/3a9e2fe1-96e7-4514-8744-f3a9731f91c7/Windows11InstallationAssistant.exe>

| C:\Users\Stefan\Downloads>curl.exe -q -I -L "https://go.microsoft.com/fwlink/?linkid=2171764"
| HTTP/1.1 302 Moved Temporarily
| Content-Length: 0
| Location: https://download.microsoft.com/download/3/a/9/3a9e2fe1-96e7-4514-8744-f3a9731f91c7/Windows11InstallationAssistant.exe
...
| HTTP/1.1 200 OK
| Content-Length: 4245056
| Content-Type: application/octet-stream
| Content-MD5: CxHl1wKGL9HpY/45rdPqgg==
| Last-Modified: Mon, 04 Oct 2021 21:14:30 GMT

According to this, Windows11InstallationAssistant.exe is quite new.
BUT:

| C:\Users\Stefan\Downloads>link.exe /dump /dependents /headers /loadconfig Windows11InstallationAssistant.exe
...
| OPTIONAL HEADER VALUES
|              10B magic # (PE32)
|            14.20 linker version

OUCH: the executable was built with an ANCIENT software development kit!

JFTR: the Windows 11 Media Creation Tool
      <https://software-download.microsoft.com/download/pr/888969d5-f34g-4e03-ac9d-1f9786c69161/MediaCreationToolW11.exe>
      offered on the same web page shows "14.28 linker version",
      i.e. a current SDK!

|  Section contains the following load config:
|
|            000000AC size
...
|                0000 Dependent Load Flags

OUCH: the unexperienced junior programmers who built the executable
      exercise "vulnerability at large" instead of "defense in depth"!

See <https://docs.microsoft.com/en-us/cpp/build/reference/dependentloadflag>
plus <https://skanthak.homepage.t-online.de/detour.html>

JFTR: the Windows 11 Media Creation Tool offered on the same web page
      shows "0800 Dependent Load Flags", i.e. restricts loading of
      DLLs to Windows' system directory!

|  Image has the following dependencies:
|
|    ADVAPI32.dll
|    KERNEL32.dll
|    USER32.dll
|    msvcrt.dll
|    ole32.dll
|    RPCRT4.dll
|    SHELL32.dll
|    SHLWAPI.dll
|    Cabinet.dll
|    VERSION.dll
|    ntdll.dll
|    PSAPI.DLL
|    bcrypt.dll

OUCH: the executable depends on a bunch of "unknown" DLLs which the
      NT module loader will fetch from the application directory,
      typically the user's "Downloads" folder, instead from Windows'
      system directory!

See <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
<https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/>

|    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
|      <security>
|         <requestedPrivileges>
|            <requestedExecutionLevel
|                level="requireAdministrator"

OUCH: the executable requires administrator privileges, i.e. the
      NT module loader will execute the dependent DLLs DllMain()
      entry points with administrative privileges before it calls
      the executables WinMain() entry point.


Demonstration:
~~~~~~~~~~~~~~

1. Fetch <https://skanthak.homepage.t-online.de/download/FORWARDX.CAB>
   (see <https://skanthak.homepage.t-online.de/minesweeper.html>
   for build instructions)

2. Extract the contents of the directory "10\i386" from within
   FORWARDX.CAB to your "Downloads" folder.

3. Visit <https://www.microsoft.com/en-us/software-download/windows11>,
   then fetch the "Windows 11 Installation Assistant" and save it
   in your "Downloads" folder.

4. Start the downloaded Windows11InstallationAssistant.exe per
   double-click, answer the UAC prompt and admire the dialog boxes
   displayed from the following DLLs loaded from the "Downloads"
   folder:
      bcrypt.dll
      PROPSYS.dll   (loaded by SHELL32.dll, UNSAFE!)
      CFGMGR32.dll  (loaded by windows.storage.dll, UNSAFE!)
      edputil.dll
      VAULTCLI.dll
      urlmon.dll
      iertutil.dll
      srvcli.dll
      netutils.dll
      
GAME OVER!

stay tuned, and far away from such vulnerable crap
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists