[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Defense in depth -- the Microsoft way (part 49): fun with application manifests



Hi @ll,

Microsoft built several bugs^W^Wfollowing features into the
processing of (external) application manifests, i.e. XML files
named <program>.exe.manifest which can accompany any portable
executable <program>.exe

JFTR: the file extension ".exe" is only used per convention;
      CreateProcess() and Windows module loader execute
      portable executables independent of their file extension.


Feature #1:
~~~~~~~~~~~

External application manifests must have "execute file"
permission (although Windows module loader only reads them).

Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Windows 7, Windows Vista and Windows Embedded POSReady 2009
(alias Windows XP SP3) create empty files CScript.exe.manifest,
MSHTA.exe.manifest and/or WScript.exe.manifest in the "system"
directory %SystemRoot%\System32\, add the NTFS ACE "(D;;WP;;;WD)"
meaning "deny execution for everybody" to these files, then start
CScript.exe, MSHTA.exe and/or WScript.exe via Start->Execute
or per double-click ... and notice the message box telling you
"access denied".

The Win32 error code returned by CreateProcess() is indeed
ERROR_ACCESS_DENIED

On newer versions of Windows, find an arbitrary executable file
without embedded application manifest to reproduce this feature.


Feature #2:
~~~~~~~~~~~

The "encoding" XML property of application manifests must have
the value UTF-8.

Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Windows XP^WEmbedded POSReady 2009 and newer versions of
Windows, create the following perfectly valid XML file:

--- dummy.exe.manifest ---
<?xml version="1.0" encoding="US-ASCII" standalone="yes" ?>
<assembly
    manifestVersion="1.0"
    xmlns="urn:schemas-microsoft-com:asm.v1">
</assembly>
--- EOF ---

Add it as resource of type 24 alias RT_MANIFEST with index 1
to an arbitrary portable executable, or place it next to a
portable executable "dummy.exe" without embedded application
manifest, then start "dummy.exe" via Start->Execute or per
double-click ... and notice the message box telling you
"The application can not be started. ..."

The Win32 error code returned by CreateProcess() is
ERROR_SXS_CANT_GEN_ACTCTX

Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any
other valid XML encoding except UTF-8 yields the same result.


stay tuned
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/