[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Defense in depth -- the Microsoft way (part 3)
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Defense in depth -- the Microsoft way (part 3)
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Sun, 16 Jun 2013 22:04:30 +0200
Hi @ll,
many (if not most of the) Windows system utilities and system routines
(including the kernel and its subsystems) as well as many user programs
(including the "shell" Windows Explorer, Windows Media Player, Internet
Explorer, Microsoft Office, etc.) load libraries/satellites at runtime
via filenames read from registry or .INI entries (see examples 0 to 13
below).
Unfortunately, MANY of the references (about 5500 in Windows 7 x64 SP1
and about 4700 in Windows 7 x86 SP1) to libraries/satellites are made
just via their filename, without their (well-known!) fully qualified
path.
Every application/utility/system routine that uses one of these system
routines/subsystems, but has not taken precautions against loading DLLs
and/or satellites from CWD (see <http://support.microsoft.com/kb/2264107>
and <http://support.microsoft.com/kb/2269637>) is thus susceptible to
"binary planting" attacks.
The VERY simple fix/mitigation: ALWAYS use the (well-known!) fully
qualified path to all the libraries/satellites you reference!
JFTR: almost all of the registry entries listed in the examples below
can be specified as (typically) "%SystemRoot%\System32\<library>.dll"
with the REG_EXPAND_SZ data type.
Timeline:
2004-08-23 informed vendor about still unfixed principal security
flaws due to unqualified filenames and Windows' EXE/DLL
search/load order after release of SP2 for Windows XP
JFTR: Microsoft started their "trustworthy computing" initiative in
2001, and XP SP2 was supposed to eliminate many of the errors
Microsoft made in previous versions of NT.
2004-08-25 vendor replies "no vulnerabilities", but forwards report
to product groups/teams
2004-09-02 vendor still wont see vulnerabilities, asks for POC(s)
2008-05-30 vendors publishes
<http://technet.microsoft.com/security/advisory/953818>
2009-04-15 vendor publishes <http://support.microsoft.com/kb/959426>
alias
<http://technet.microsoft.com/security/bulletin/ms09-015>
plus
<http://technet.microsoft.com/security/bulletin/ms09-014>
2010-08-23 vendor publishes
<http://technet.microsoft.com/security/advisory/2269637>
and updates it over and over again since then
2010-08-24 asked vendor in response to advisory 2269637 what the
product groups/teams had done in the past 6 years since
my initial report to eliminate this attack vector
2010-09-04 compiled an exhaustive list with the about 5500(!)
unqualified filenames (and some more errors) in the
registry of Windows 7 x64 and sent it to vendor;
<http://home.arcor.de/skanthak/download/W7_ERROR.INF> and
<http://home.arcor.de/skanthak/download/W7_ISSUE.INF> are
the lists with major/minor errors found in the registry
of Windows 7 x86 SP1
2010-09-11 asked vendor when to expect results from report sent in
2004, and when to expect a properly/thoroughly engineered
Windows with "defense in depth" REALLY applied [*]
2010-09-13 vendor replied (to question from 2010-08-24): we have no
feedback from the product teams
2011-09-13 vendor publishes <http://support.microsoft.com/kb/2570947>
alias
<http://technet.microsoft.com/security/bulletin/ms11-071>
2011-12-28 vendor informs that the BSOD from example 3 was filed as a
stability bug against Windows 8
2012-05-08 vendor publishes<http://support.microsoft.com/kb/2686509>
alias
<http://technet.microsoft.com/security/bulletin/ms12-034>
stay tuned
Stefan
[*] for (german) Windows XP Professional I provide the script
<http://home.arcor.de/skanthak/download/XP_FIXIT.INF> that corrects
the errors in the registry which remain after fixing the scripts
\i386\DMREG.INF and \i386\HIVE*.INF and the errors in installed
*.theme and generated DESKTOP.INI files which remain after fixing
the \i386\*.TH_ files (usage instructions included in the script).
PS: if you missed part 1 and/or part 2, see
<http://seclists.org/fulldisclosure/2013/May/107> and
<http://seclists.org/fulldisclosure/2013/Jun/6>
Example 0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\xxxxxxxx]
"Layout File"="KBDxyz.DLL"
Fixed with <http://support.microsoft.com/kb/2686509> alias
<http://technet.microsoft.com/security/bulletin/ms12-034>
JFTR: Microsoft started their "trustworthy computing" initiative in
2001; 11 years later they still have loads of silly security
holes due to their sloppy attitude!
Example 1:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
"Userinit"="userinit.exe"
Fixed with <http://support.microsoft.com/kb/269049> alias
<http://technet.microsoft.com/security/bulletin/ms00-052>
JFTR: the vulnerability with "Userinit"="userinit.exe" was introduced
when <http://support.microsoft.com/kb/249321> was applied.
Example 2: NETSH.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh]
"<name>"="<library>.dll"
... some 20 more entries ...
POC: download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> or
<http://www.binaryplanting.com/demo/program_manager_group_converter/imm.dll>
and store it with the name of one of the DLLs listed in the above
registry key (or add a registry entry "0"="SENTINEL.DLL" resp.
"0"="imm.dll" there); copy the 32-bit version of NETSH.EXE into
a second directory; open a command prompt, "cd" into the directory
where you downloaded the DLL; run the copy of NETSH.EXE from the
command prompt and admire the application popup from the DLL.-)
On 64-bit systems download
<http://www.binaryplanting.com/demo/program_manager_group_converter_64/imm.dll>
and proceed like above.
JFTR: if you think "ouch! how complicated" please check whether you've
ever copied utilities like NETSH.EXE to another location, for
instance your \\%LOGONSERVER%\NETLOGON\ share, and run them from
there during logon (see <http://support.microsoft.com/kb/264061>
and <http://support.microsoft.com/kb/306850>).
"Once bitten twice shy"? Not in Redmond, not at Microsoft!
Example 3: the font drivers of the Win32 (kernel) subsystem
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers]
"Adobe Type Manager"="atmfd.dll"
JFTR: change this entry to =expand:"%SystemRoot%\\System32\\atmfd.dll",
then start another user session (via fast user switching or RDP)
and admire the BSOD "STOP 0x50 PAGE_FAULT_IN_NONPAGEABLE_AREA" in
CSRSS.EXE due to a silly programming error in the code evaluating
the environment variable %SystemRoot%. OUCH!
"Adobe Type Manager"="C:\\Windows\\System32\\atmfd.dll" but works.
Example 4: the SPOOLER
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows
NT x86\Print Processors\winprint]
"Driver"="winprint.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port]
"Driver"="localspl.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft
Shared Fax Monitor]
"Driver"="FXSMON.DLL"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard
TCP/IP Port]
"Driver"="tcpmon.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor]
"Driver"="usbmon.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\WSD Port]
"Driver"="WSDMon.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\Internet
Print Provider]
"Name"="inetpp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan
Print Services]
"Name"="win32spl.dll"
JFTR: when these registry entries are changed to
"<...>"=expand:"%SystemRoot%\\System32\\<library>.dll"
the SPOOLER silently fails: no port monitors and no print providers
are loaded, but no event log entry is written and no other indication
of the fault given to the user!
"<...>"="C:\\Windows\\System32\\<library>.dll" but works.
Example 5: the RPC service/system
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols]
"ncacn_ip_tcp"="rpcrt4.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions]
"NdrOleExtDll"="Ole32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService]
"9"="secur32.dll"
Example 6: the cryptography subsystem
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="credssp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity
Device (Microsoft Generic Profile)]
"80000001"="msclmd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity
Device (NIST SP 800-73 [PIV])]
"80000001"="msclmd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft
Base Smart Card Crypto Provider]
"Image Path"="basecsp.dll"
... some 100 entries more ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{guidguid-guid-guid-guid-guidguidguid}]
"$DLL"="WINTRUST.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\<oid>]
"$DLL"="WINTRUST.DLL"
Example 7: OLE and COM
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42071714-76d4-11d1-8b24-00a0c9068ff3}\InprocServer32]
@="deskpan.dll"
This ONE was fixed with <http://support.microsoft.com/kb/2570947>
alias <http://technet.microsoft.com/security/bulletin/ms11-071>
The following HUNDREDS are still lurking around and waiting to be exploited!
JFTR: <http://msdn.microsoft.com/library/ms691424.aspx> says:
| LocalServer Specifies the full path to a 16-bit local server application.
~~~~~~~~~
| LocalServer32 Specifies the full path to a 32-bit local server application.
~~~~~~~~~
<http://msdn.microsoft.com/library/ms682390.aspx> says:
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| InprocServer32
| (Default) = path
~~~~
<http://msdn.microsoft.com/library/ms694328.aspx> says:
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| InprocServer
| (Default) = path
~~~~
At Microsoft, we dont read our own documentation, we dont care!
POC: download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> or
<http://www.binaryplanting.com/demo/program_manager_group_converter/imm.dll>
and store it as DPNET.DLL; copy the 32-bit version of WSCRIPT.EXE
or CSCRIPT.EXE into a second directory; create a file POC.VBS with
the following single line: CreateObject("DirectPlay8.Peer.1")
open a command prompt, "cd" into the directory where you downloaded
the DLL; run the copy of WSCRIPT.EXE or CSCRIPT.EXE with POC.VBS as
argument from the command prompt and admire the application popup
from the DLL.-)
JFTR: you can use any other program which instanciates COM objects instead
of the Windows Script Host!
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000300-0000-0000-C000-000000000046}\InprocServer32]
@="ole32.dll"
... some 100 entries more ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\InprocServer32]
@="<library>.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer]
@="<program>.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer32]
@="<program>.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\InProcHandler32]
@="ole32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC5DA001-7CD4-11D2-8ED9-D8C857F98FE3}\Server]
@="mscorld.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC9F9AE-E87A-3252-8E25-B22423A40065}\InprocServer32]
@="mscoree.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC]
"DLL"="MSDTCPRX.DLL"
... some 100 entries more ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\x.y\z\win16]
@="<library>.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\i.j\k\win32]
@="<library>.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\a.b\c\win64]
@="<library>.dll"
Example 8: the group policies' client side extensions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{guidguid-guid-guid-guid-guidguidguid}]
"DisplayName"="@<library>.dll,-100"
"DllName"=expand:"<library>.dll"
Example 9: directplay
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet
TCP/IP Connection For DirectPlay]
"Gateway"="dpnhpast.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet
TCP/IP Connection For DirectPlay]
"Path"="dpwsockx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Modem
Connection For DirectPlay]
"Path"="dpmodemx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Serial
Connection For DirectPlay]
"Path"="dpmodemx.dll"
Example 10: misc.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"IGDSearcherDLL"="bitsigd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin]
"WUSearchLibrary"="chkwudrv.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemUtilities]
"IfsUtilExtension"="ifsutilx.dll"
Example 11: TS Client
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server
Client\TransportExtensions]
"Gateway"="aaclient.dll"
[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server
Client\Default\Addins\<subkey>]
"<name>"="<library>.dll"
...
[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server
Client\<connection>\Addins\<subkey>]
"<name>"="<library>.dll"
...
Example 12: MMC.EXE, the "Microsoft Management Console"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{guidguid-guid-guid-guid-guidguidguid}]
"ModuleName"="<library>.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{guidguid-guid-guid-guid-guidguidguid}]
"DescriptionIndirect"="@<library>.dll,-123"
"NameStringIndirect"="@<library>.dll,-123"
Example 13: DESKTOP.INI (folder customization), *.theme, *.LNK
The shell caches the strings referenced via ="@<library.dll>,-123"
in DESKTOP.INI and *.theme files, *.LNK etc. as well as the registry
below the following registry keys:
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache]
"<...>.dll,-123"="...some string..."
[HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache]
"<...>.dll,-123"="...some string..."
Look for yourself which files are loaded without fully qualified path!
JFTR: ONLY IF resource DLLs are loaded with LoadLibraryEx() and the
flag LOAD_LIBRARY_AS_DATAFILE is set (see
<http://msdn.microsoft.com/en-us/ms684179>) there will be no
call to the DllMain entry point.
Counterexample:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\CodePage]
"<cpid>"="c_<cpid>.nls"
The filenames specified here get prefixed with %SystemRoot%\System32\
before their use.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/