[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FD] Executable installers are vulnerable^WEVIL (case 56): arbitrary code execution WITH escalation of privilege via rufus*.exe

To: Stefan Kanthak <stefan.kanthak@xxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: [FD] Executable installers are vulnerable^WEVIL (case 56): arbitrary code execution WITH escalation of privilege via rufus*.exe
From: Andrius Duksta <duk@xxxxxxxxxxxxx>
Date: Mon, 6 Aug 2018 17:16:57 +0000
Sorry, but the viable/practical attack vector on this one is practically 
non-existent. I really can't see anyone actually using this as a real-life 
attack. The circumstances required to succeed are such that if this attack 
works, it's waaay too late to blame Rufus as your system was obviously already 
compromised in other ways. 

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx] On Behalf Of 
Stefan Kanthak
Sent: 2018 m. rugpjūčio 3 d., penktadienis 16:16
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Executable installers are vulnerable^WEVIL (case 56): arbitrary 
code execution WITH escalation of privilege via rufus*.exe

Hi @ll,

like their predecessors, the recently (2018-05-29, 2018-06-19) published 
versions 3.0 and 3.1 of "Rufus" are riddled with bloody beginners errors, which 
ALL allow arbitrary code execution WITH escalation of privilege, in MULTIPLE 
ways.

JFTR: to support and ease further attacks, this crap is built
      without ASLR and without stack cookies/canaries!
      <https://msdn.microsoft.com/en-us/library/bb430720.aspx>


Vulnerability #1
================

rufus-3.0.exe, rufus-3.0p.exe, rufus-3.1.exe and rufus-3.1p.exe are susceptible 
to DLL spoofing alias DLL search order hijacking: on a fully patched Windows 7, 
they load at least the following Windows system DLLs from their "application 
directory", typically the user's "Downloads" directory 
%USERPROFILE%\Downloads\, instead from Windows "system directory" 
%SystemRoot%\System32\, resulting in arbitrary code execution:

    DWMAPI.dll, UXTheme.dll, Version.dll, CryptSP.dll, NCrypt.dll,
    BCrypt.dll, RichEd20.dll, DSRole.dll, LogonCli.dll, DFSCli.dll,
    SAMCli.dll, DSRole.dll


For this well-known and well-documented vulnerability see 
<https://cwe.mitre.org/data/definitions/426.html> and 
<https://cwe.mitre.org/data/definitions/427.html> plus 
<https://capec.mitre.org/data/definitions/471.html>.

Additionally see Microsoft's developer guidance 
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> und 
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
to avoid this bloody beginner's error.

Also see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>
and
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
plus
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>
for "prior art".

And last but not least the 20+ year old
<http://fy.chalmers.se/~appro/nt/nsaguide.pdf>


Since the clueless developer specified "requireAdministrator" in the embedded 
application manifest, his crap can only be run with administrative privileges, 
resulting in arbitary code execution WITH escalation of privilege.


Demonstration/proof of concept #1:
----------------------------------

1. Follow the instructions from
   <https://skanthak.homepage.t-online.de/minesweeper.html>
   and build a testbed/minefield of 32-bit DLLs in your
   "Downloads" directory.

2. Download <https://rufus.akeo.ie/downloads/rufus-3.0.exe> and
   <https://rufus.akeo.ie/downloads/rufus-3.0p.exe> and save them
   in your "Downloads" directory.

3. Run rufus-3.0.exe and rufus-3.0p.exe: notice the message boxes
   displayed from multiple DLLs created in step 1!

4. Download <https://rufus.akeo.ie/downloads/rufus-3.1.exe> and
   <https://rufus.akeo.ie/downloads/rufus-3.1p.exe> and save them
   in your "Downloads" directory.

5. Run rufus-3.1.exe and rufus-3.1p.exe: notice the message boxes
   displayed from at least DSROLE.DLL created in step 1!


JFTR: if you don't see a message box: open the event log and view
      the entries from source "Vulnerability and Exploit Detector".


Fix:
~~~~

DUMP the executable installer, DUMP the portable crap, provide an .MSI, or a 
.CAB plus an .INF script.

Mitigations:
~~~~~~~~~~~~

See <https://skanthak.homepage.t-online.de/!execute.html>


Vulnerability #2
================

Although running with administrative privileges, this crap extracts files 
UNPROTECTED [1] into the "current working directory" for later execution (and 
into the user's %TEMP% directory for later use).

For this well-known and well-documented vulnerability see 
<https://cwe.mitre.org/data/definitions/377.html> and 
<https://cwe.mitre.org/data/definitions/379.html> plus 
<https://capec.mitre.org/data/definitions/29.html>

An unprivileged user/process running in the same user account [2] can modify 
the extracted files between their creation and use, and can even create bogus 
files instead, which this crap then executes.
Remember that it runs with administrative rights!


Demonstration/proof of concept #2a:
-----------------------------------

1. Open a command prompt, then run the following command lines:

      MKDIR "%SystemDrive%\CRAPWARE"
      COPY %COMSPEC% rufus.com
      ATTRIB.exe +R rufus.com

2. Run the following command line:

      "%USERPROFILE%\Downloads\rufus-3.1.exe"

   Notice the string "rufus.com\n" pasted into the command prompt
   window (really: into the window which happens to have focus) and
   the copy of the command processor started.

3. Run the following command line:

      "%USERPROFILE%\Downloads\rufus-3.1p.exe"

   Again notice the string "rufus.com\n" pasted into the command
   prompt window, and the subsequent dialog box stating that
   another instance of this crap is already running.


Demonstration/proof of concept #2b:
-----------------------------------

1. Run the following command lines in the still open command
   prompt:

   ATTRIB.exe -R rufus.com
   ERASE rufus.com
   SET NoDefaultCurrentDirectoryInExePath=*

2. Run the command lines

      "%USERPROFILE%\Downloads\rufus-3.1.exe"
      "%USERPROFILE%\Downloads\rufus-3.1p.exe"

3. Notice the error messages

   | "rufus.com" is not recognized as an internal or external command,
   | operable program or batch file.

   from the command prompt, and the complete failure of this crap.


Demonstration/proof of concept #2c:
-----------------------------------

1. Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
   files in this directory for everyone, inheritable to files in
   subdirectories" to the current working directory
   %SystemDrive%\CRAPWARE.

2. Run the vulnerable applications: notice their complete failure,
   they neither display their window nor any error message!

3. View the access rights of the file "rufus.com" created in the
   CWD.


stay tuned, and FAR AWAY from such vulnerable and defective crap Stefan Kanthak


[1] on Windows, every developer past absolute beginner uses the
    fourth argument of CreateFile()
    <https://msdn.microsoft.com/en-us/library/aa363858.aspx>
    or the second argument of CreateDirectory()
    <https://msdn.microsoft.com/en-us/library/aa363855.aspx>
    to specify a "security descriptor" with the desired and needed
    access rights, at least and especially when running privileged.

[2] the ONE and ONLY user account created during Windows setup is an
    administrator account, and it is used by the vast majority of
    Windows users for their everyday work: according to Microsoft's
    own telemetry data, as published in their "Security Intelligence
    Reports" <https://www.microsoft.com/security/sir/default.aspx>
    about 1/2 to 3/4 of all (some 600 million) Windows installations
    report only one active user account.

_______________________________________________
Sent through the Full Disclosure mailing list 
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________
Šioje žinutėje esanti informacija gali būti konfidenciali. Jeigu šią žinutę 
gavote per klaidą, prašome grąžinti ją siuntėjui atsakant į gautą laišką ir 
iškart ištrinkite žinutę iš Jūsų sistemos nekopijuojant, neplatinant ir 
neišsisaugant jos.
Nors esame įsitikinę, kad ši žinutė ir prie jos esantys priedai nėra užkrėsti 
virusais ar kitaip pažeisti, dėl ko galėtų būti paveiktas kompiuteris ar IT 
sistema, kurioje žinutė gauta ir skaitoma, adresatas atidarydamas failą 
prisiima riziką. Mes neatsakome už nuostolius ar žalą, galinčius atsirasti dėl 
šios žinutės gavimo ar kitokio naudojimo.
_______________
Please note that this message may contain confidential information. If you have 
received this message by mistake, please inform the sender of the mistake by 
sending a reply, then delete the message from your system without making, 
distributing or retaining any copies of it. Although we believe that the 
message and any attachments are free from viruses and other errors that might 
affect the computer or IT system where it is received and read, the recipient 
opens the message at his or her own risk. We assume no responsibility for any 
loss or damage arising from the receipt or use of this message.
Prev by Date: FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
Next by Date: New VMSA-2018-0019 - Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability
Previous by thread: FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
Next by thread: New VMSA-2018-0019 - Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability
Index(es):
- Date
- Thread