Home page logo
/

bugtraq logo Bugtraq mailing list archives

Defense in depth -- the Microsoft way (part 7): executable files in data directories
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sat, 17 Aug 2013 21:01:28 +0200

Hi,

with Windows XP (about 12 years ago) Microsoft started to develop a
REALLY NASTY habit: they began to install executable files outside
of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\"
(since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\".


Examples:

* "%ALLUSERSPROFILE%\DRM\INDIVBOX.KEY"

  a DLL, installed there when a user runs the DRM individualisation
  process of Windows Media Player, see
  <http://go.microsoft.com/fwlink/fwlink.ashx?linkid=34506> alias
  <http://drmlicense.one.microsoft.com/Indivsite/en/indivit.asp?force=1> alias
  <https://services.wmdrm.windowsmedia.com/Indivsite/en/indivit.asp?force=1>

* "%COMMONAPPDATA%\Microsoft\PlayReady\Cache\...\MSPRindiv01.key"

  a DLL, used for Silverlight's PlayReady DRM

* "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll"

* "%LOCALAPPDATA%\Microsoft\SkyDrive\..."

...

While this is a violation of Microsoft's own, about 18 years old
"Designed for Windows" guidelines, it tears down the security boundary
created with NTFS permissions/access rights and "privilege separation":
unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\"
and below, so all executables installed there are protected against
tampering by unprivileged users (and programs/malware running under
unprivileged user accounts).

Executables installed in %USERPROFILE% are but NOT protected against
tampering and can undermine at least the users safety.


Marcus J. Ranum was SOO right, back in 2007, when he wrote in
"Execution Control: Death to Antivirus" (see
<http://www.ranum.com/security/computer_security/editorials/antivirus/index.html>):

| It makes sense; security never has been important in Windows.


JFTR: unfortunately not only Microsoft shows this bad habit:
      crapware like the versions of Google Chrome or Google Drive
      that are offered to "end users" installs into
      "%LOCALAPPDATA%\Google\Chrome\Application\...",
      "%LOCALAPPDATA%\Google\Update\..." and even subdirectories
      of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...",
      SoftMaker Office creates a DLL with the user registration data
      in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is
      denied there), Mozilla Firefox and Thunderbird download their
      updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if
      execution is denied there), extensions like Mozilla Lightning
      install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY
      if execution is denied there), ...


I recommend that the developers responsible for these crimes against
computer safety and security learn the meaning of the word "DATA"
before they are allowed to pester unsuspecting users with more of
their (by the very design) unsafe and insecure programs.


stay tuned
Stefan Kanthak


PS: it's getting worse^Wmore complicated (and as everybody with a
    sane mind knows: complexity reduces/ruins safety and security)!

    With Windows Vista Microsoft introduced "user account control"
    (really: they surrendered to all those incapable and incompetent
    developers who were and are unable and unwilling to write Windows
    software that runs without administrative rights, as requested in
    their own, then about 11 year old "Designed for Windows" guidelines)
    and "UAC virtualization", which redirects write access failures
    (and after that, read accesses too) of "legacy applications", i.e.
    32-bit processes run by unprivileged interactive users (cf.
    <http://technet.microsoft.com/magazine/4ce22051-1ff9-49c1-ab06-d97658e993e0>
    and <http://msdn.microsoft.com/en-us/library/bb530410.aspx>)
    below "%SystemRoot%\", "%ProgramFiles%\" and "%ProgramData%\" to
    "%LOCALAPPDATA%\VirtualStore\".

| However, any file with an executable extension, including .exe,
| .bat, .scr, .vbs, and others, is excluded from virtualization.

    The list of predefined "executable" extensions (as found within
    %SystemRoot%\System32\Drivers\LUAFV.SYS) is:
    .acm, .asa, .asp, .aspx, .ax, .bat, .cer, .chm, .clb, .cmd, .cnt,
    .cnv, .com, .cpl, .cpx, .crt, .dll, .drv, .exe, .fon, .grp, .hlp,
    .hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .lnk, .msc, .msi,
    .msp, .mst, .mui, .nls, .ocx, .pal, .pcd, .pif, .reg, .scf, .scr,
    .sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros,
    .ws, .wsc, .wsf and .wsh

    BUT: .key (see above) is missing!

    To modify this list, edit

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Luafv\Parameters]
    "ExcludedExtensionsAdd"=multi:
    "ExcludedExtensionsRemove"=multi:


  By Date           By Thread  

Current thread:
  • Defense in depth -- the Microsoft way (part 7): executable files in data directories Stefan Kanthak (Aug 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault