lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Oct 2021 20:47:54 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Defense in depth -- the Microsoft way (part 79): Local
	Privilege Escalation via Windows 11 Installation Assistant

Hi @ll,

offers the "Windows 11 Installation Assistant" to unsuspecting users.

The link <>
underneath the first [Download Now] button forwards to

| C:\Users\Stefan\Downloads>curl.exe -q -I -L ""
| HTTP/1.1 302 Moved Temporarily
| Content-Length: 0
| Location:
| HTTP/1.1 200 OK
| Content-Length: 4245056
| Content-Type: application/octet-stream
| Content-MD5: CxHl1wKGL9HpY/45rdPqgg==
| Last-Modified: Mon, 04 Oct 2021 21:14:30 GMT

According to this, Windows11InstallationAssistant.exe is quite new.

| C:\Users\Stefan\Downloads>link.exe /dump /dependents /headers /loadconfig Windows11InstallationAssistant.exe
|              10B magic # (PE32)
|            14.20 linker version

OUCH: the executable was built with an ANCIENT software development kit!

JFTR: the Windows 11 Media Creation Tool
      offered on the same web page shows "14.28 linker version",
      i.e. a current SDK!

|  Section contains the following load config:
|            000000AC size
|                0000 Dependent Load Flags

OUCH: the unexperienced junior programmers who built the executable
      exercise "vulnerability at large" instead of "defense in depth"!

See <>
plus <>

JFTR: the Windows 11 Media Creation Tool offered on the same web page
      shows "0800 Dependent Load Flags", i.e. restricts loading of
      DLLs to Windows' system directory!

|  Image has the following dependencies:
|    ADVAPI32.dll
|    KERNEL32.dll
|    USER32.dll
|    msvcrt.dll
|    ole32.dll
|    RPCRT4.dll
|    SHELL32.dll
|    SHLWAPI.dll
|    Cabinet.dll
|    VERSION.dll
|    ntdll.dll
|    bcrypt.dll

OUCH: the executable depends on a bunch of "unknown" DLLs which the
      NT module loader will fetch from the application directory,
      typically the user's "Downloads" folder, instead from Windows'
      system directory!

See <>,
<> and

|    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
|      <security>
|         <requestedPrivileges>
|            <requestedExecutionLevel
|                level="requireAdministrator"

OUCH: the executable requires administrator privileges, i.e. the
      NT module loader will execute the dependent DLLs DllMain()
      entry points with administrative privileges before it calls
      the executables WinMain() entry point.


1. Fetch <>
   (see <>
   for build instructions)

2. Extract the contents of the directory "10\i386" from within
   FORWARDX.CAB to your "Downloads" folder.

3. Visit <>,
   then fetch the "Windows 11 Installation Assistant" and save it
   in your "Downloads" folder.

4. Start the downloaded Windows11InstallationAssistant.exe per
   double-click, answer the UAC prompt and admire the dialog boxes
   displayed from the following DLLs loaded from the "Downloads"
      PROPSYS.dll   (loaded by SHELL32.dll, UNSAFE!)
      CFGMGR32.dll  (loaded by, UNSAFE!)

stay tuned, and far away from such vulnerable crap
Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists