[FD] Defense in depth -- the Microsoft way (part 87): shipping more rotten software to billions of unsuspecting customers

aph: | .NET Framework Defense in Depth Vulnerability | This security update addresses an issue where version of the | OSS zlib library is out of date. stay tuned, and far away from crap built with ROTTEN components Stefan Kanthak PS: to preserve your mental health, don't run the following co

[FD] Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsuspecting customers

quot; ... | "curl.exe","8.0.1.0","30-Sep-2023","20:15","445,952" ... | "curl.exe","8.0.1.0","30-Sep-2023","20:15","498,688" ... | "curl.exe","8.0.1.0",&q

[FD] Defense in depth -- the Microsoft way (part 85): escalation of privilege plus remote code execution with HVCISCAN.exe

NUL: \\SERVER\SHARE\arbitrary.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that a required DLL or an entry point is not found. Building \\SERVER\SHARE\arbitrary.dll with the exports required by HVCIScan-a??64.exe to actually load and execute arbitrary.dll

[FD] Defense in depth -- the Microsoft way (part 84): (no) fun with %COMSPEC%

Hi @ll, the documentation of the builtin START command of Windows NT's command processor CMD.EXE states: | When you run a command that contains the string "CMD" as the first | token without an extension or path qualifier, "CMD" is replac

[FD] Defense in depth -- the Microsoft way (part 83): instead to fix even their most stupid mistaskes, they spill barrels of snakeoil to cover them (or just leave them as-is)

nder blocks the execution of FoDHelper.exe Spoiler: installation of another anti-virus, for example McAfee, Bitdefender, Eset, Sophos, Avira, AVG/Avast, TrendMicro, deactivates Windows Defender and lets FoDHelper.com run an arbitrary application elevated, without UAC prompt.

[FD] Defense in depth -- the Microsoft way (part 82): INVALID/BOGUS AppLocker rules disable SAFER on Windows 11 22H2

Hi @ll, in Windows 11 22H2. some imbeciles from Redmond added the following (of course WRONG and INVALID) registry entries and keys which they dare to ship to their billion world-wide users: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp] "RuleCount"=dword:0002 "LastWriteTime"=he

[FD] Defense in depth -- the Microsoft way (part 81): enabling UTF-8 support breaks existing code

€€ (i.e. 87 or more of the 123 characters from above) present, both FindFirstFile() and FindNextFile() FAIL with the previously impossible, NEVER encountered Win32 error code 234 alias ERROR_MORE_DATA: wfd.cFile

[FD] Defense in depth -- the Microsoft way (part 80): 25 (in words: TWENTY-FIVE) year old TRIVIAL bug crashes CMD.exe

pon invocation (unless started with the switch /D): [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] "AutoRun"="SET /A ~2147483647 % ~0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor] "AutoRun"="SET /A ~2147483647 % ~0" stay tuned Stefan Kanthak

[FD] Defense in depth -- the Microsoft way (part 79): Local Privilege Escalation via Windows 11 Installation Assistant

er the UAC prompt and admire the dialog boxes displayed from the following DLLs loaded from the "Downloads" folder: bcrypt.dll PROPSYS.dll (loaded by SHELL32.dll, UNSAFE!) CFGMGR32.dll (loaded by windows.storage.dll, UNSAFE!) edputil.dll VAULTCLI.dll urlmon.d

fulldisclosure@seclists.org

://curl.se/docs/releases.html> and <https://curl.se/docs/vulnerabilities.html> Most obviously Microsoft's processes are so bad that they can't build a current version and have to ship ROTTEN software instead! stay tuned, and far away from such poorly maintained crap Stefan Kanth

[FD] Defense in depth -- the Microsoft way (part 77): access without access permission

ar for immediate servicing. For more information, please see the | Microsoft Security Servicing Criteria for Windows | (https://aka.ms/windowscriteria). | | However, we've marked your finding for future review as an opportunity | to improve our products. I do not have a timeline for this rev

[FD] Defense in depth -- The Microsoft way (part 76): arbitrary code execution WITH elevation of privilege in user-writable directories below %SystemRoot%

ot; ECHO !ERRORLEVEL!)) BINGO: GAME OVER! UAC performs auto-elevation at least in the directories C:\Windows\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ and C:\Windows\System32\Tasks_Migrated\; a copy of PrintUI.exe run in these directories loads/executes

[FD] Defense in depth -- the Microsoft way (part 75): Bypass of SAFER alias Software Restriction Policies NOT FIXED

as loaded instead of the real %SystemRoot%\System32\PrintUI.dll The Common Weaknesses and Exposures classifies such misbehavior, which results in arbitrary code execution (here with escalation of privilege), as - CWE-426: Untrusted Search Path <https://cwe.mitre.org/data/definitio

[FD] Executable installers are vulnerable^WEVIL (case 61): arbitrary code execution WITH escalation of privilege via Intel WiFi drivers

3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Demonstration: ~~ 0. Log on with an arbitrary user account. 1. Save the following source as poc.c in an arbitrary directory: --- poc.c --- // Copyright (C) 2004-2021, Stefan Kanthak #define STRICT #define UNICODE #define WIN32_LEA

[FD] Defense in depth -- The Microsoft way (part 74): Windows Defender SmartScreen is rather DUMP, it allows denial of service

t <https://cwe.mitre.org/data/definitions/1287.html> The Common Attack Pattern Enumeration and Classification lists it as - <https://capec.mitre.org/data/definitions/210.html> CAPEC-210: Abuse Existing Functionality stay tuned, and far away from such disfunctional crap Stefan Kant

[FD] CVE-2018-3635 revisited: executable installers are vulnerable^WEVIL (case 60): again arbitrary code execution WITH escalation of privilege via Intel Rapid Storage Technology User Interface and Dr

ight (C) 2004-2021, Stefan Kanthak #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include const STARTUPINFO si = {sizeof(si)}; __declspec(safebuffers) BOOL WINAPI _DllMainCRTStartup(HANDLE hModule, DWORD dwReason,

[FD] Defense in depth -- the Microsoft way (part 73): ignorance (of security advisories) is bliss!

tml> Proof to demonstrate the vulnerability in a bunch of system DLLs 1. Save the following source as capec-471.c in an arbitrary, preferable empty directory: --- capec-471.c --- // Copyleft (C) 2004-2021 Stefan Kanthak, #include __declspec(noretu

[FD] Unholy CRAP: Moziila's executable installers

s:(I)(F) | AMNESIAC\Stefan:(I)(F) | | Successfully processed 2 files; Failed processing 0 files Ouch: NSIS too uses the "Temp" directory to create a subdirectory and extract executable files it tries to load

[FD] Defense in depth -- the Microsof way (part 72): "compatibility" trumps security

%SystemRoot%\Temp\ShFolder.dll and %SystemRoot%\Temp\NvStInst.exe runs under the SYSTEM account this vulnerability results in escalation of privilege: GAME OVER! stay tuned, and far away from executable installers Stefan Kanthak PS: the response from NVIDIA was: driver is end-of-life PPS: the

[FD] Defense in depth -- the Microsoft way (part 68): where compatibility means vulnerability

xe /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /EXPORT:SystemFunction036 /EXPORT:SystemFunction040 /EXPORT:SystemFunction041 /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows CRYPTBASE.obj USER32.lib 5. Repeat step 2, and notice the message boxes displayed from CRYPTSP.dll and CRYPTBASE

[FD] Defense in depth -- the Microsoft way (part 70): CVE-2014-0315 alias MS14-019 revisited

fault installation of Windows XP or any newer version, start the command processor CMD.EXE and run the following commands: SET COMSPEC=%SystemRoot%\System32\Reg.exe ASSOC | CALL ECHO | FTYPE SET | More.com ... Why does the command processor execute the EXTERNAL command specified in the environment v

[FD] Defense in depth -- the Microsoft way (part 69): security remarks are as futile as the qUACkery!

R\Software\Microsoft\Windows\CurrentVersion\App Paths] when running elevated with a split token on older versions of Windows! stay tuned and for away from software riddled with beginner's errors Stefan Kanthak PS: compare the behaviour of ShellExecute() to that of COM, as documented in <

[FD] Defense in depth -- the Microsoft way (part 68): qUACkery is futile!

\share\malware.exe" /F REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "ERASE /F /Q /S ""%USERPROFILE%""" /F stay tuned, and far away from "protected" accounts and split tokens! Stefan K

[FD] Defense in depth -- the Microsoft way (part 67): we maintain 20 year old bugs since we don't care about our customers safety and security

EM\CurrentControlSet\Control\SessionManager\Environment" /V TEMP /T REG_EXPAND_SZ /D ^%USERPROFILE^%\AppData\Local\Temp /F REG.exe ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment" /V TMP /T REG_EXPAND_SZ /D ^%USERPROFILE^%\AppData\Local\Tem

[FD] Defense in depth -- the Microsoft way (part 66): attachment manager allows to load arbitrary DLLs

-bit installations of Windows XP and newer versions of Windows. Mitigation: ~~~ Use AppLocker or SAFER alias Software Restriction Policies: see <https://skanthak.homepage.t-online.de/SAFER.html> stay tuned, and NEVER use Windows without SAFER or AppLocker Stefan Kanthak _

Re: [FD] Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

OfficeAntiVirus interface to initiate an "on-demand" scan; "realtime" scans initiated via the file system filter driver of the anti-malware platform are NOT affected. regards Stefan > On 2020-03-27 15:27, Stefan Kanthak wrote: >> in September 2017, Microsoft relocate

[FD] Defense in depth -- the Microsoft way (part 65): unsafe, easy to rediect paths all over

AV's utility process and defeating your design! | Utility processes are also more restricted than the browser process | generally so this is another win in addition to the process decoupling. OUCH³! There is NO decoupled process involved! The demonstration runs an arbitrary DLL in the process of

[FD] Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

27;s utility process and defeats your design! | Utility processes are also more restricted than the browser process | generally so this is another win in addition to the process decoupling. OUCH³! There is NO decoupled process involved! The demonstration runs an arbitrary DLL in the process of any web browser, any mail/news client, any instant messenger and file explorer as well, credentials of the current user, UNRESTRICTED. | As such, we are closing this case. Mitigation: ~~~ Use AppLocker or SAFER alias Software Restriction Policies: see <https://skanthak.homepage.t-online.de/SAFER.html> stay tuned, and far away from so-called "security software" Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 63): program defaults, settings, policies ... and (un)trustworthy computing

REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies /S 2. For every policy registry entry found check that a corresponding setting registry entry is evaluated by the program or component which uses the policy registry entry, and whether this setting registry entry eventually exists. stay t

Re: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

; to know what the dependencies on these are and for whom is it convenient > that they are always there. That's just the icing on the cake. stay tuned Stefan > -Original Message- > From: Fulldisclosure On Behalf Of > Stefan Kanthak > Sent: Monday, February 24, 202

[FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

y) and CRT applications too! Additionally see the MSKB article <https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads> which does NOT even list the MSVCRT 2005 any more! stay tuned, and FAR AWAY from untrustworthy and insecure software like .NET

[FD] Executable installers are vulnerable^WEVIL (case 58): Intel® Processor Identification Utility - Windows* Version - arbitrary code execution with escalation of privilege

from Windows Installer due to non-executable DLLs written in the %TEMP% directory! Timeline: = 2019-07-17first vulnerability report sent to vendor 2019-07-18Intel's PSIRT opens case #2208018370 2019-07-28Intel's

[FD] [CVE-2019-20358] CVE-2019-9491 in Trend Micro Anti-Threat Toolkit (ATTK) was NOT properly FIXED

definitions/732.html>, <https://cwe.mitre.org/data/definitions/377.html>, <https://cwe.mitre.org/data/definitions/379.html> and <https://capec.mitre.org/data/definitions/29.html> stay tuned, and FAR AWAY from so-called security products: their "security" is typicall

[FD] Defense in depth -- the Microsoft way (part 61): security features are built to fail (or documented wrong)

box and the exit code is 0xC135 alias STATUS_DLL_NOT_FOUND, which is the expected behaviour if /DEPENDENTLOADFLAG:0x800 would work as documented and limit the DLL search path to %SystemRoot%\System32\ stay tuned, and don't trust unverified or incomplete documentation St

[FD] Mozilla's MSI installers: FUBAR (that's spelled "fucked-up beyond all repair")

ser account, who can tamper with the extracted files in any way, then runs (here: tries to run) the extracted "%TEMP%\7zS<8 hex digits>\setup.exe" elevated. stay tuned, and FAR away from Mozilla's crap! Stefan Kanthak ___ S

[FD] Defense in depth -- the Microsoft way (part 60): same old sins and incompetence!

uring Windows setup, every UNPRIVILEGED (non-elevated) program running under this account can write to %TEMP%\IXP000.tmp, for example a rogue MSI.dll, and exercise again an "escalation of privilege". GAME OVER, third time! stay tuned (and far away from so-called "security soluti

[FD] Defense in depth -- the Microsoft way (part 59): we only fix every other vulnerability

in the previous step in the printed output. 8. run the command lines to register VBE7.dll, MSOSIP.DLL and MSOSIPX.dll: notice the message boxes displayed from the previously built DLLs! REGSVR32.exe "%ProgramFiles%\vbe7.dll" REGSVR32.exe "%ProgramFiles%\msosip.dll&qu

[FD] Escalation of privilege with Intel Rapid Storage User Interface

p! 2. Practice STRICT privilege separation: use your privileged "Administrator" account (especially the account created during Windows setup) ONLY for administrative tasks, and COMPLETELY separate unprivileged user accounts, with elevation requests DISABLED, for your everyday/r

[FD] [CVE-2018-3635] Executable installers are vulnerable^WEVIL (case 59): arbitrary code execution WITH escalation of privilege via Intel Rapid Storage Technology User Interface and Driver

ept: ~~~ 1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory for everyone, inheritable to all subdirectories" to the (user's) %TEMP% directory. NOTE: this does NOT need administr

[FD] Executable installers are vulnerable^WEVIL (case 57): arbitrary code execution WITH escalation of privilege viaIntel Extreme Tuning Utility

o all subdirectories" to the (user's) %TEMP% directory. NOTE: this does NOT need administrative privileges! 2. execute XTU-Setup.exe: notice the message box displaying the failure of the installation about 3/4 way through. STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE! s

[FD] Defense in depth -- the Microsoft way (part 57): installation of security updates fails on Windows Embedded POSReady 2009

mp 01.09.2018 23:18 . 01.09.2018 23:18 .. 01.09.2018 23:18 SP3QFE 01.09.2018 23:18 update 01.02.2018 23:2818.808 spmsg.dll 01.02.2018 23:28 234.872

[FD] Defense in depth -- the Microsoft way (part 57): all the latest MSVCRT installers allow escalation of privilege

st.x86.exe loads the rogue DLLs copied by the second batch script, executing their entry point routines with ELEVATED rights: GAME OVER! Mitigation: ~~~ * DONT use executable installers! * NEVER run executable installers in unsafe environments! Fix: * DUMP executable installers, use *.MSI or *.INF plus *.CAB! stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 56): arbitrary code execution WITH escalation of privilege via rufus*.exe

ommand prompt, and the complete failure of this crap. Demonstration/proof of concept #2c: --- 1. Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to files in subdirectories"

[FD] Executable installers are vulnerable^WEVIL (case 55): escalation of privilege with VMware Player 12.5.9

trator" account (especially the account created during Windows setup) ONLY for administrative tasks, and COMPLETELY separate unprivileged user accounts, with elevation requests DISABLED. for your daily/regular work. stay tuned Stefan Kanthak PS: also see <http://seclists.org/bugtr

[FD] CVE-2016-7085 NOT fixed in VMware-player-12.5.9-7535481.exe

per.html> and build a minefield of 32-bit forwarder DLLs in your "Downloads" directory; 2. download <https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>, and save it in your "Downloads" directory; 3. execute VMware-p

[FD] Defense in depth -- the Microsoft way (part 56): 10+ year old security update installers are susceptiblle to 20+ year old vulnerability

on WITH escalation of privilege. Mitigations: 1. DON'T use executable installers; stay far away from such crap! 2. NEVER run executable installers from UNSAFE directories like "%USERPROFILE%\Downloads\" or "%TEMP%\" 3. Exercise STRICT privilege separation: use your

[FD] Defense in depth -- the Microsoft way (part 55): new software built with 5.5 year old tool shows 20+ year old vulnerabilities

executable installers from UNSAFE directories like "%USERPROFILE%\Downloads\" or "%TEMP%\" 3. Exercise STRICT privilege separation: use your privileged "Administrator" account (especially the account created during Windows setup) only for administrative tasks, and a COMPLETELY separate unprivileged "standard user" account for your own tasks. stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2018-3667, CVE-2018-3668] Escalation of priviilege via executable installer of Intel Processor Diagnostic Tool

qualified filename to execute/load an application or a DLL, ALWAYS specify their fully qualified pathname! Mitigations: 1. DON'T execute executable self-extractors. 2. NEVER execute executable self-extractors with administrative privileges. 3. extract the payload of th

[FD] [ADV170017] Defense in depth -- the Microsoft way (part 54): escalation of privilege during installation of Microsoft Office 20xy

e from MSDN or (via <http://www.office.com/backup>) from <https://go.microsoft.com/fwlink/p/?LinkID=403713> 3. notice the message boxes displayed from the DLLs saved in %TEMP%! stay tuned Stefan Kanthak PS: be sure to read <https://portal.msrc.microsoft.com/en-US/securit

[FD] Defense in depth -- the Microsoft way (part 53): our MSRC doesn't know how Windows handles PATH

into the category of PATH directories | DLL planting are treated as won't fix. OUCH! The MSRC also ignores the fact that CHDIR "" START is equivalent to adding "" in front of the PATH! JFTR: loading of DLLs from the CWD can be disabled via [HKEY_LOCAL_M

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

d Microsoft's epic failures in this case, including my reply to the false statements of Microsoft's Ellen Kilbourne. Stefan > On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak > wrote: > >> "Jeffrey Walton" wrote: >> >> > On Fri, Feb 9, 2018 at 1:01

[FD] Mozilla's executable installers: FUBAR (that's spelled "fucked-up beyond all repair")

re.org/data/definitions/379.html> Fix: Dump those FOREVER defective executable installers for Windows! Provide an .MSI, or an .INF script plus a .CAB. Windows ships since more than 22 years with SetupAPI which uses .INF scripts, and since about 18 years with the

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

"Jeffrey Walton" wrote: > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak > wrote: [ http://seclists.org/fulldisclosure/2018/Feb/33 ] > Not sure if this is related, but: > https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-b

[FD] Defense in depth -- the Microsoft way (part 52): HTTP used to distribute (security) updates, not HTTPS

HOUGH the server catalog.update.microsoft.com [*] supports HTTPS! JFTR: even if you browse the "Microsoft Update Catalog" via <https://www.catalog.update.microsoft.com/Home.aspx> [#], ALL download links published there use HTTP, not HTTPS! That's trustworthy computi

[FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/> ... which their own developers and their QA but seem to ignore! See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440> for the same vulnerability in another Microsoft product! stay tuned Stefan Kant

[FD] Defense in depth -- the Microsoft way (part 50); Windows Update shoves unsafe crap as "important" updates to unsuspecting users

uot;=dword:0001 "BlockNetFramework461"=dword:0001 "BlockNetFramework462"=dword:0001 "BlockNetFramework47"=dword:0001 "BlockNetFramework471"=dword:0001 --- EOF --- To block earlier versions, see the MSKB articles <https://support.microsoft

[FD] Defense in depth -- the Microsoft way (part 49): fun with application manifests

ERROR_SXS_CANT_GEN_ACTCTX Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any other valid XML encoding except UTF-8 yields the same result. stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] AMD's buddies for Intel's FDIV bug: _llrem and _ullrem yield wrong remainders!

Prior versions of this guide, available for example from <http://www.ii.uib.no/~osvik/amd_opt/22007k.pdf> or <https://en.wikichip.org/w/images/5/5f/AMD_Athlon_Processor_x86_Code_Optimization_Guide.pdf>, show this bug only in the _llrem routine! stay tuned Stefan Kanthak ___

[FD] Executable installers are vulnerable^WEVIL (case 54): escalation of privilege with PostgresSQL installers for Windows

See the PE/COFF specification: | Import Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: * Don't build executable installers, they are almost always vulnerab

[FD] R.I.P. Kaspersky Privacy Cleaner: withdrawn due to multiple begiinner's errors which allow escalation of privilege

te checker/installer uses the same insecure procedure ~~~~~ Once installed, Kaspersky Privacy Cleaner checks for updates just like CleanerSetup.exe via insecure channel, downloads them via insecure channel, performs no integrity checks,

[FD] Executable installers are vulnerable^WEVIL (case 53): escalation of privilege with QNAP's installers for Windows

;WP;;;WD)" meaning "deny execution of files in this directory and all subdirectories" to the NTFS ACL of every %TEMP% directory! JFTR: when execution in %TEMP% is denied, the defective installer display a dialog box with the blatant lie "QSync is running.

[FD] Defense in depth -- the Microsoft way (part 48): privilege escalation for dummies -- they didn't make SUCH a stupid blunder?

ations-and-elevated-processes-with-uac-on-windows-vista-sp1/ > <https://blogs.msdn.microsoft.com/cjacks/2008/07/22/per-user-com-registrations-and-elevated-processes-with-uac-on-windows-vista-sp1- part-2-ole-automation/> Mitigations: * dump .NET Framework and all applications that use

[FD] [CVE-2017-5688] Executable installers are vulnerable^WEVIL (case 52): Intel installation framework allows arbitrary code execution with escalation of privilege

age.t-online.de/sentinel.html>, then download <https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL> and save it in an arbitrary directory; 2. save the following batch script in the same directory: --- IIF.CMD --- :WAIT @If Not Exist "%TEMP%\

[FD] Executable installers are vulnerable^WEVIL (case 51): escalation of privilege with Microsoft's Azure Recovery Services Agent

om/en-us/security/2269637> and <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> * also see <https://skanthak.homepage.t-online.de/verifier.html> and <https://skanthak.homepage.t-online.de/!execute.html> stay tuned Stefan Kanthak Timeline: ~

[FD] Executable installers are vulnerable^Wdefective^WEVIL (case 49): xampp-win32-7.1.1-0-VC14-installer.exe allows escalation of privilege

e PE/COFF specification: | Import Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: * Don't build executable installers, they are almost always vulnerable! C

[FD] Executable installers are vulnerable^WEVIL (case 49): 1Password-4.6.1.619.exe allows arbitrary code execution

s "write Xor execute" in the NTFS file system: allow execution only below %SystemRoot% and %ProgramFiles% and deny it everywhere else. See <http://mechbgon.com/srp/index.html> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-onlin

Re: [FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

pcert.html>, read it and get the prebuilt DLLs plus their .INF setup script, packaged in a .CAB archive. enjoy Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

efault: ; } // the return value is only used for PROCESS_CREATION_QUERY, // all other conditions are ignored return ntStatus; } --- EOF --- stay tuned Stefan Kanthak Timeline: ~ 2017-03-10sent vulnerability report to vendor 2017-03-10reply from vendor:

[FD] Defense in depth -- the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier"

r.html> for an "Application Verifier Provider" which performs the missing checks. stay tuned Stefan Kanthak [°] introduced with Windows XP some 16 years ago, available via <https://www.microsoft.com/en-us/download/details.aspx?id=20028> as stand-alone package then, la

[FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe

n the VERSIONINFO resource is 0x, despite the english only strings "This installation was built with Inno Setup." in "Comments", "Inno Setup Setup" in "FileDescription" etc. 7. the timestamp in the PE header of innosetup-5.5.9.exe is 0x2A425E19, whi

[FD] Executable installers are defective^WEVIL (case 1): putty-0.68-installer.exe

"This installation was built with Inno Setup." in "Comments", "PuTTY Setup" in "FileDescription" and "Release 0.68" in "FileVersion". 7. the timestamp in the PE header of putty-0.68-installer.exe is 0x2A425E19, which is

[FD] "long" filenames mishandled by Fujitsu's ScanSnap software

<https://msdn.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks> JFTR: Microsoft introduced "long" filenames more that 20 years ago. Stay away from the crapware shipped with Fujitsu's scanners! stay tuned Stefan Kanthak Timeline: ~ 2017-01-28vulnerability r

[FD] Executable installers are vulnerable^WEVIL (case 48): SumatraPDF-3.1.2-installer.exe allows escalation of privilege

in this directory for everyone, inheritable to all files in all subdirectories" (use CACLS.EXE /S: for example); * Use "software restriction policies" resp. AppLocker. Consider to apply either/both to every "%USERPROFILE%" as well as "%ALLUSERSPROFILE%&qu

[FD] Executable installers are vulnerable^WEVIL (case 47): Heimdal Security's SetupLauncher vulnerable to DLL hijacking

mechbgon.com/srp/index.html> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-online.de/SAFER.html> for more information. * Stay FAR away from so-called "security" products! See (for example) <http://robert.ocallahan.org/2017/01/disabl

Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution

ias <https://skanthak.homepage.t-online.de/verifier.html> JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> was referred in <http://seclists.org/bugtraq/2016/Jan/105> In short: setup.exe lets Windows load some app-compat shims. stay tuned Stefan > O

[FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution

t-online.de/!execute.html> for more information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inherita

[FD] Executable installers are vulnerable^WEVIL (case 44): SoftMaker's FlexiPDF installers allow escalation of privilege

r account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to &qu

[FD] Executable installers are vulnerable^WEVIL (case 45): ReadPDF's installers allow escalation of privilege

DF.INF" /m TinyPDF /r LPT3: (see <https://technet.microsoft.com/en-us/library/ee624057.aspx>) * DISM.exe /Image: /Add-Driver /Driver:"\TINYPDF.INF" ... (see <https://technet.microsoft.com/en-us/library/dd744355.aspx>) * DPInst.exe ... which I but DON'T recommend! (see

[FD] Executable installers are vulnerable^WEVIL (case 43): SoftMaker's Office service pack installers allow escalation of privilege

s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "de

[FD] Executable installers are vulnerable^WEVIL (case 42): SoftMaker's FreeOffice installer allows escalation of privilege

Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tun

[FD] Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody

on directory" (which is writable for everyone) too. And one more: 6. the OpenSSL libraries shipped are from version 1.0.2d and have multiple vulnerabilities which have beed fixed in version 1.0.2j. stay tuned Stefan Kanthak Timeline: ~ 2016-08-29vulnerability report sent t

[FD] Defense in depth -- the Microsoft way (part 45): filesystem redirection fails to redirect the application directory

otice that the 32-bit forwarder DLLs are loaded in the 64-bit process and that their exports/forwards are processed properly! Their DllMain() extry points are but NOT called (if they were you'd see some message boxes)! stay tuned Stefan Kanthak PS: the test whether 64-bit forwarder

[FD] Defense in depth -- the Microsoft way (part 44): complete failure of Windows Update

Aux: 7.6.7600.320 ... | 2016-10-06 22:23:05:184 860 dec Setup SelfUpdate handler update NOT required: Current version: 7.6.7600.320, required version: 7.6.7600.320 See <http://home.arcor.de/skanthak/slipstream.html> for instructions for a fix and some more information! stay tuned Stefa

[FD] Defense in depth -- the Microsoft way (part 43): restricting the DLL load order fails

ControlSet\Control\Session Manager\KnownDLLs] "Version"="Version.Dll" * embed the following "application manifest" in your executables: CAVEAT: the loadFrom attribute of the file element is not documented! stay tuned Stefan Kanthak Timeline: ~

[FD] Executable installers are vulnerable^WEVIL (case 40): Aviras' full package installers allow escalation of privilege

e message boxes displayed from the DLLs and EXE placed in "%TEMP%\RarSFX0\" by POC.CMD PWNED! Mitigations: * Don't use executable installers! NEVER! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP

[FD] Executable installers are vulnerable^WEVIL (case 39): MalwareBytes' "junkware removal tool" allows escalation of privilege

notice the message boxes displayed from the *.COM. PWNED! Mitigations: * Don't use executable installers! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; u

[FD] Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP%

d an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stef

[FD] Executable installers are vulnerable^WEVIL (case 38): Microsoft's Windows10Upgrade*.exe allows elevation of privilege

cryptsp, rpcrtremote, api-ms-win-downlevel-shlwapi-l2-1-0, sxs, propsys, apphelp, secur32, uxtheme, msls31, oleacc, d2d1, dwrite, dxgi, dwmapi, dxgidebug, d3d11, d3d10warp, mlang, winmm, slc, iphlpapi, dnsapi, dhcpcsvc, midimap, wer) Do Copy sen

[FD] Defense in depth -- the Microsoft way (part 41): vulnerable by (poor implementation of bad) design

Don't use "protected" administrator accounts, NEVER! * Disable the default user account created during Windows setup, or demote it to a standard user account. * Always use standard user accounts with DISABLED UAC-elevation. * Practice STRICT privilege separation: UAC is a VE

[FD] Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking

to your own host with UNC paths to any host reachable from your network where you placed some malicious DLLs to get pwned instead. 5. Execute the downloaded installers. PWNED! 6. Add the element from poc#5 to achieve remote code execution with (user-assisted) escalation of privilege. 7. Execute the downloaded installers. PWNED²! stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2016-1014, CVE-2016-4247] Executable installers are vulnerable^WEVIL (case 35): Adobe's Flash Player (un)installers

ey load(ed) and execute(d) later with elevated privileges. An unprivileged user can/could overwrite both files between creation and execution and gain elevation of privilege. See <https://cwe.mitre.org/data/definitions/379.html> for this type of well-known and well-documented vulnerability! s

[FD] Executable installers are vulnerable^WEVIL (case 34): Microsoft's vs-community-*.exe susceptible to DLL hijacking

oft.com/library/security/MS16-041> and <https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html> for a similar vulnerability. stay tuned Stefan Kanthak Timeline: ~ 2016-06-01sent vulnerability report to vendor plus US-CE

[FD] [CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player

m Adobe's web site and save them in your "Downloads" directory; 3. run the (un)installers downloaded in step 2 and notice the message boxes displayed from the DLLs placed in step 1. PWNED! JFTR: since the (un)installers are 32-bit programs and (un)install both the 32-bit an

[FD] [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers

illa's vulnerable executable installers! PWNED! Mitigation(s): ~~ 0. don't use executable installers. DUMP THEM, NOW! 1. see <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/SAFER.html>. 2. stay away from Mozilla&#x

[FD] Defense in depth -- the Microsoft way (part 40): seven+ year old "blended" threat still alive and kicking

RC: your communication habit is GREAT, once again! NOT! Mitigation(s): ~~ Deny execution in the "%USERPROFILE%" of every user plus "%ALLUSERSPROFILE%" alias "%ProgramData%" * via the inheritable NTFS ACE (D;OIIO;WP;;;WD) meaning "deny execution

[FD] Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream

ersions of this vulnerable executable installer for Firefox and Firefox ESR. See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> why you should NEVER name any executable (installer) setup.exe! stay tuned Stefan Kanthak PS: Mozilla fixed the same vulnerabilities in their executable s

[FD] Executable installers are vulnerable^WEVIL (case 33): GData's installers allow escalation of privilege

api rasadhlp ntmarta ntshrui cscapi slc windowscodecs apphelp mpr userenv schannel credssp secur32 gpapi samcli) Do MkLink /H "%TEMP%\{1C2DF59B-0172-4ECB-9A25-7597A4A26A96}\%%!.dll" "%~dpn0.dll" --- EOF --- 4. run the batch script per double-click: it starts the dow

[FD] Executable installers are vulnerable^WEVIL (case 32): Comodo's installers allow arbitrary (remote) code execution WITH escalation of privilege

ice the message boxes displayed from the DLLs placed in step 1. PWNED! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/se

[FD] Executable installers are vulnerable^WEVIL (case 31): MalwareBytes' installers allows arbitrary (remote) code execution WITH escalation of privilege

ulldisclosure/2015/Dec/33 plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! regards Stefan Kanthak PS: I really LOVE (security) software with such trivial b

[FD] Executable installers are vulnerable^WEVIL (case 30): clamwin-0.99-setup.exe allows arbitrary (remote) code execution WITH escalation of privilege

ldisclosure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/32> plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BE

  1   2   >