[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Defense in depth -- the Microsoft way (part 57): installation of security updates fails on Windows Embedded POSReady 2009

Hi @ll,

on a multitude of machines running Windows Embedded POSReady 2009,
"automatic updates" show the well-known and never resolved bug which
lets the Windows Update Agent occupy one core (good luck if your CPU
has some of them and can afford to sacrifice one.-) for DAYS at 100%

This nasty behaviour is documented for example in the MSKB articles
<https://support.microsoft.com/en-us/help/3102810> and

This bug has a rather LOOONG tradition; see for example

But this bug is NOT subject of this post -- the story only starts

Since I've dealt with this bug quite some times in the past decade
I know how to overcome it (see for example
1. manually fetch the latest cumulative update for Internet Explorer,
2. install it,
3. then reboot and let "automatic updates" perform their duty again.

Step 1 was simple:
1.a) start the web browser and enter the URL
1.b) sort the updates by date,
1.c) find the latest cumulative update for IE,
1.d) then download the executable installer offered for your language.

This left me with the file
in my "Downloads" folder "C:\Dokumente und 

Since ALL downloads in the "Microsoft Update Catalog" are offered over
INSECURE HTTP: (see <http://seclists.org/fulldisclosure/2018/Feb/43>)
I checked the integrity of the downloaded executable:

C:\Dokumente und Einstellungen\Administrator\Downloads>CertUtil.exe /V /HashFile
SHA-1-Hash der Datei 
fd 52 c3 ee 74 9c 7d 21 e0 c8 da 6d 9a cb 20 36 07 e2 5d a4
CertUtil: -hashfile-Befehl wurde erfolgreich ausgeführt.

Good, the SHA1 hash matches the filename (this was shown over the
secure HTTPS: connection to the Microsoft Update Catalog itself).

Right-click->Properties:"Digital signatures", then double-click on
the signature also yields "valid".

Good, lets proceed with step 2: install the downloaded update.

2.a) a double-click on
     presented TWO error message boxes with the following text:

 - Auslagerungsdatei konnte nicht erstellt
| (X) Exception Processing Message c0000145 Parameters c0000005 75b0bf7c 
75b0bf7c 75b0bf7c
|                                  [  OK  ]


JFTR: you'll see this GIBBERISH on ALL NON-english editions of
      Windows Embedded POSReady 2009 (and Windows XP too)!

      For the description and demonstration of this bug in NTDLL.dll,
      start reading <https://skanthak.homepage.t-online.de/fubar.html>

     Since I know this bug in NTDLL.dll since quite some time, I know
     that the "correct" error message box should have been

 - Fehler in Anwendung
| (X) Die Anwendung konnte nicht richtig initialisiert werden (0xc0000005).
|     Klicken Sie auf "OK", um die Anwendung zu beenden.
|                                  [  OK  ]

2.b) on english editions of Windows Embedded POSReady 2009, execution of
     yields the error message box

 - Application Error
| (X) The application failed to initialize properly (0xc0000005).
|     Click OK to terminate the application.
|                                  [  OK  ]

     That's an "access violation" during process initialisation.

2.c) Let's run the application under the debugger:

C:\Dokumente und Einstellungen\Administrator\Downloads>NTSD.exe

Microsoft (R) Windows User-Mode Debugger  Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Dokumente und
Loaded dbghelp extension DLL
Loaded exts extension DLL
Loaded ntsdexts extension DLL
Symbol search path is: 
 search path is:
ModLoad: 01000000 01020000   sfxcab.exe
ModLoad: 7c910000 7c9ca000   ntdll.dll
ModLoad: 7c800000 7c909000   C:\WINDOWS\System32\kernel32.dll
ModLoad: 77be0000 77c38000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 77da0000 77e4a000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 77e50000 77ee3000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000   C:\WINDOWS\System32\Secur32.dll
ModLoad: 7e360000 7e3f1000   C:\WINDOWS\System32\USER32.dll
ModLoad: 77ef0000 77f3a000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 5d450000 5d4ea000   C:\WINDOWS\System32\COMCTL32.dll
ModLoad: 7e670000 7ee92000   C:\WINDOWS\System32\SHELL32.dll
ModLoad: 77f40000 77fb7000   C:\WINDOWS\System32\SHLWAPI.dll
Break instruction exception - code 80000003 (first chance)
eax=00181eb4 ebx=7ffd9000 ecx=00000007 edx=00000080 esi=00181f48 edi=00181eb4
eip=7c91120e esp=0006fb20 ebp=0006fc94 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
7c91120e cc               int     3
0:000> g
 Heap block at 0008AC58 modified at 0008AE08 past requested size of 1a8
Break instruction exception - code 80000003 (first chance)
eax=0008ac58 ebx=0008ae08 ecx=7c92f927 edx=0006e182 esi=0008ac58 edi=000001a8
eip=7c91120e esp=0006e384 ebp=0006e388 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
7c91120e cc               int     3
0:000> g
 Invalid Address specified to RtlFreeHeap( 00080000, 0008AC60 )
Break instruction exception - code 80000003 (first chance)
eax=0008ac58 ebx=0008ac58 ecx=7c92f927 edx=0006e192 esi=00080000 edi=0008ac58
eip=7c91120e esp=0006e39c ebp=0006e3a0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
7c91120e cc               int     3
0:000> g
Access violation - code c0000005 (first chance)
eax=0008ae20 ebx=007d0032 ecx=00080210 edx=00000000 esi=0008ae18 edi=00300033
eip=7c92afa0 esp=0006e0f0 ebp=0006e30c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
7c92afa0 8b0b             mov     ecx,[ebx]         ds:0023:007d0032=????????
0:000> gn
 Heap missing last entry in committed range near 8ae18
Break instruction exception - code 80000003 (first chance)
eax=0008ae18 ebx=00080640 ecx=7c92f927 edx=0006e559 esi=00080588 edi=0008b148
eip=7c91120e esp=0006e764 ebp=0006e768 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
7c91120e cc               int     3
0:000> gn
Access violation - code c0000005 (first chance)
eax=0008ae20 ebx=007d0032 ecx=000801b0 edx=00000000 esi=0008ae18 edi=00300033
eip=7c92afa0 esp=0006eb64 ebp=0006ed80 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
7c92afa0 8b0b             mov     ecx,[ebx]         ds:0023:007d0032=????????
0:000> gn
Access violation - code c0000005 (first chance)
eax=00000010 ebx=7ffdf000 ecx=00000100 edx=00000190 esi=77f350e0 edi=01900010
eip=77ef64f1 esp=0006f2f8 ebp=0006f300 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
77ef64f1 38410a           cmp     [ecx+0xa],al            ds:0023:0000010a=??
0:000> gn
Access violation - code c0000005 (first chance)
eax=0006fc54 ebx=00000000 ecx=0006fca8 edx=7c91e514 esi=c0000005 edi=00000000
eip=7c977a96 esp=0006fc54 ebp=0006fca4 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
7c977a96 c9               leave
0:000> q

     NICE! That looks like a buffer overrun on the heap, and the corrupted
     data then yields the "access violation".

2.d) Let's see if I can cure it:

C:\Documents and Settings\Administrator\Downloads>RENAME
C:\Documents and 

    The buffer overrun is gone, the update installs!
    If only someone had told the wise guys at Microsoft that MAX_PATH is
    260 characters, and that buffers have to be checked for overruns!
    What happened to the "trustworthy computing" initiative?

2.e) But WAIT, it's not over yet:

C:\Dokumente und 

     The /X option extracts the payload into an arbitrary directory; the
     default is the current directory, i.e.
     "C:\Dokumente und Einstellungen\Administrator\Downloads"

     This yields the error message box

| Dekomprimierung fehlgeschlagen
| (X) Datei ist beschädigt
|           [  OK  ]

     WTF? The file is supposed to be corrupt?
     It but installed successful, its checksums are correct!

JFTR: without the /X option, the executable self-extractor SFXCAB
      creates a directory with a random, up to 32 characters "short"
      name in the root directory of the drive with the most free space.

2.f) Let's see whether this error can be cured too by using a shorter path:

C:\Dokumente und 
 /X C:\Windows\Temp


| Dekomprimierung abgeschlossen
|  ^
| /!\ Dekomprimierung abgeschlossen
| ¯¯¯
|           [  OK  ]

C:\Dokumente und Einstellungen\Administrator\Downloads>dir C:\Windows\Temp

 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: 8CDE-6034

 Verzeichnis von C:\Windows\Temp

01.09.2018  23:18    <DIR>                       .
01.09.2018  23:18    <DIR>                       ..
01.09.2018  23:18    <DIR>                       SP3QFE
01.09.2018  23:18    <DIR>                       update
01.02.2018  23:28            18.808              spmsg.dll
01.02.2018  23:28           234.872              spuninst.exe
               2 Datei(en)        253.680 Bytes
               4 Verzeichnis(se),  8.396.988.416 Bytes frei

stay tuned
Stefan Kanthak

PS: for the other bugs and vulnerabilities in Microsoft's SFXCAB
    see <http://seclists.org/fulldisclosure/2016/Jan/48> and/or

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/