lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Oct 2021 20:47:54 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: [FD] Defense in depth -- the Microsoft way (part 79): Local Privilege Escalation via Windows 11 Installation Assistant Hi @ll, <https://www.microsoft.com/en-us/software-download/windows11> offers the "Windows 11 Installation Assistant" to unsuspecting users. The link <https://go.microsoft.com/fwlink/?linkid=2171764> underneath the first [Download Now] button forwards to <https://download.microsoft.com/download/3/a/9/3a9e2fe1-96e7-4514-8744-f3a9731f91c7/Windows11InstallationAssistant.exe> | C:\Users\Stefan\Downloads>curl.exe -q -I -L "https://go.microsoft.com/fwlink/?linkid=2171764" | HTTP/1.1 302 Moved Temporarily | Content-Length: 0 | Location: https://download.microsoft.com/download/3/a/9/3a9e2fe1-96e7-4514-8744-f3a9731f91c7/Windows11InstallationAssistant.exe ... | HTTP/1.1 200 OK | Content-Length: 4245056 | Content-Type: application/octet-stream | Content-MD5: CxHl1wKGL9HpY/45rdPqgg== | Last-Modified: Mon, 04 Oct 2021 21:14:30 GMT According to this, Windows11InstallationAssistant.exe is quite new. BUT: | C:\Users\Stefan\Downloads>link.exe /dump /dependents /headers /loadconfig Windows11InstallationAssistant.exe ... | OPTIONAL HEADER VALUES | 10B magic # (PE32) | 14.20 linker version OUCH: the executable was built with an ANCIENT software development kit! JFTR: the Windows 11 Media Creation Tool <https://software-download.microsoft.com/download/pr/888969d5-f34g-4e03-ac9d-1f9786c69161/MediaCreationToolW11.exe> offered on the same web page shows "14.28 linker version", i.e. a current SDK! | Section contains the following load config: | | 000000AC size ... | 0000 Dependent Load Flags OUCH: the unexperienced junior programmers who built the executable exercise "vulnerability at large" instead of "defense in depth"! See <https://docs.microsoft.com/en-us/cpp/build/reference/dependentloadflag> plus <https://skanthak.homepage.t-online.de/detour.html> JFTR: the Windows 11 Media Creation Tool offered on the same web page shows "0800 Dependent Load Flags", i.e. restricts loading of DLLs to Windows' system directory! | Image has the following dependencies: | | ADVAPI32.dll | KERNEL32.dll | USER32.dll | msvcrt.dll | ole32.dll | RPCRT4.dll | SHELL32.dll | SHLWAPI.dll | Cabinet.dll | VERSION.dll | ntdll.dll | PSAPI.DLL | bcrypt.dll OUCH: the executable depends on a bunch of "unknown" DLLs which the NT module loader will fetch from the application directory, typically the user's "Downloads" folder, instead from Windows' system directory! See <https://capec.mitre.org/data/definitions/471.html>, <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and <https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/> | <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> | <security> | <requestedPrivileges> | <requestedExecutionLevel | level="requireAdministrator" OUCH: the executable requires administrator privileges, i.e. the NT module loader will execute the dependent DLLs DllMain() entry points with administrative privileges before it calls the executables WinMain() entry point. Demonstration: ~~~~~~~~~~~~~~ 1. Fetch <https://skanthak.homepage.t-online.de/download/FORWARDX.CAB> (see <https://skanthak.homepage.t-online.de/minesweeper.html> for build instructions) 2. Extract the contents of the directory "10\i386" from within FORWARDX.CAB to your "Downloads" folder. 3. Visit <https://www.microsoft.com/en-us/software-download/windows11>, then fetch the "Windows 11 Installation Assistant" and save it in your "Downloads" folder. 4. Start the downloaded Windows11InstallationAssistant.exe per double-click, answer the UAC prompt and admire the dialog boxes displayed from the following DLLs loaded from the "Downloads" folder: bcrypt.dll PROPSYS.dll (loaded by SHELL32.dll, UNSAFE!) CFGMGR32.dll (loaded by windows.storage.dll, UNSAFE!) edputil.dll VAULTCLI.dll urlmon.dll iertutil.dll srvcli.dll netutils.dll GAME OVER! stay tuned, and far away from such vulnerable crap Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists