Home page logo
/

bugtraq logo Bugtraq mailing list archives

Defense in depth -- the Microsoft way (part 6): beginner's errors, QA sound asleep or out of sight!
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Wed, 7 Aug 2013 02:11:15 +0200

Hi,

the installation of Microsofts much acclaimed "security tool"
EMET 3.0 (see <http://www.microsoft.com/emet> and
<http://support.microsoft.com/kb/2458544>) creates the following
VULNERABLE registry entry that runs a rogue program C:\PROGRA.EXE
(as well as "C:\Program Files.exe" on x64) in the security context
of the user logging on:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EMET Notifier"="C:\\Program Files\\EMET\\EMET_notifier.exe"       ; x86
"EMET Notifier"="C:\\Program Files (x86)\\EMET\\EMET_notifier.exe" ; x64


JFTR: the vulnerability is caused by of one of Windows' documented
(see <http://msdn.microsoft.com/library/ms682425.aspx) idiosyncrasies:
CreateProcess() does NOT fail on calls with arguments like
    C:\Program Files\Common Files\Microsoft Shared\<filename>[.<extension>]
but tries to execute
    "C:\Progra.exe"
    "C:\Program Files\Common.exe"
    "C:\Program Files\Common Files\Microsoft.exe"
    "C:\Program Files\Common Files\Microsoft Shared\<filename>[.<extension>]"
in turn to cover BEGINNERS ERRORS of incapable developers who are
unable to handle "long" pathnames with embedded spaces properly.

Whoever decided to implement this idiosyncrasy some 20 years ago was
but incapable too and did not recognize the consequences of this
idiosyncrasy^Widiotic behaviour!


The same beginners error is (for example) present in all versions
of "Microsoft Security Essentials" before 4.2 and was just recently
fixed with <https://support.microsoft.com/kb/2805304>:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client]
"UninstallString"="C:\\Program Files\\Microsoft Security Client\\Setup.exe /X"


Some of Microsoft's developers (and of course their QA) apparently
dont know their companies own documentation;
cf. <http://msdn.microsoft.com/library/ms997548.aspx>:

| The path you supply to Uninstall-String must be the complete
| command line used to carry out your uninstall program.


JFTR: "add/remove programs" of current versions of Windows (XP SP2
and newer) mitigates this error and inserts missing quotes after
the first "<filename>" or "<filename.extension>" and in front of
the string. This kludge is but NOT documented!


<https://support.microsoft.com/kb/2781197> resp.
<https://support.microsoft.com/kb/2823482> alias
<https://technet.microsoft.com/security/bulletin/ms13-034> fixed
another unquoted pathname in Windows Defender on Windows 8, while
<https://support.microsoft.com/kb/2847927> alias
<https://technet.microsoft.com/security/bulletin/ms13-058> fixed it
in Windows Defender on Windows 7 and Window Server 2008 R2, where
this beginners error allowed the execution of a rogue program
C:\PROGRA.EXE in the security context of "LocalSystem".


On a fully patched Windows 7 x64 take a look at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}\Shell\Open\Command]
@=expand:"%ProgramFiles%\\Windows Sidebar\\sidebar.exe /showGadgets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\command]
@="C:\\Program Files\\Windows Sidebar\\sidebar.exe /showGadgets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaServer:1\shell\Open Media
Player\command]
@=expand:"C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command]
@=expand:"%ProgramFiles%\\Windows Sidebar\\Sidebar.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@=expand:"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideShow\Gadgets\{591248b9-ad35-47c2-b2fa-2d7c120adc79}]
"StartCommand"=expand:"%programFiles%\\Windows Media Player\\WMPSideShowGadget.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Keyboard\Native Media Players\WMP]
"ExePath"="C:\\Program Files\\Windows Media Player\\wmplayer.exe"


On a fully patched Windows XP take a look at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2]
"Player.Path"="C:\\Program Files\\Windows Media Player\\mplayer2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer]
"Player.Path"="C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\open\command]
@="C:\\Program Files\\Windows Media Player\\wmplayer.exe /Open ""%L"""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\play\command]
@="C:\\Program Files\\Windows Media Player\\wmplayer.exe /Play ""%L"""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command]
@="Rundll32.exe C:\\Program Files\\Common Files\\System\\OLE DB\\oledb32.dll,OpenDSLFile %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSInfo.Document\Shell\Open\Command]
@="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\MSInfo32.exe /msinfo_file %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\x-internet-signup\Shell\Open\command]
@=expand:"%ProgramFiles%\\Internet Explorer\\Connection Wizard\\ISIGNUP.EXE %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\IM\Windows Messenger\shell\open\command]
@=expand:"%ProgramFiles%\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@="C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{068B0700-718C-11d0-8B1A-00A0C91BC90E}\LocalServer32]
@="C:\\Program Files\\Netmeeting\\conf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}\LocalServer32]
@="C:\\Program Files\\Netmeeting\\conf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472FDD38-C8CE-4417-9138-C437B0445EBC}\LocalServer32]
@="C:\\Program Files\\Movie Maker\\moviemk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855B6281-563C-4462-8C6D-5326CA1D4FE4}\LocalServer32]
@="C:\\Program Files\\MSN Gaming Zone\\Windows\\zclientm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C3ADF99-CCFE-11d2-AD10-00C04F72DD47}\LocalServer32]
@="C:\\Program Files\\Netmeeting\\conf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1031BAF-3039-4dd6-BC5E-522F007DAF8B}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB1D8565-40E9-4616-984D-98465687E82C}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B69003B3-C55E-4b48-836C-BC5946FC3B28}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBFCB14-3B21-491c-9E2A-B0F3D50F83FD}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC20CB75-A981-460e-81D4-F06F61B59247}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF66AFC9-C61D-404a-B535-64FBF91D420F}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0B8F398-BB08-4298-87F0-34502693902E}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3A614DC-ABE0-11d2-A441-00C04F795683}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB7199AB-79BF-11d2-8D94-0000F875C541}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
"Exec"="%windir%\\Network Diagnostic\\xpnetdiag.exe"


OUCH!


"Long" pathnames containing spaces exist for about 20 years now in
Windows, EVERY developer should know how to use them properly, and
EVERY QA should check their proper use!


JFTR: unfortunately not only Microsoft's developers are incapable;
Mozilla Firefox and Thunderbird for example create the following
registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 22.0 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.8 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe"


Intel too can't afford developers past beginner level and a QA and
makes "privilege escalation" really easy:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3]
"ImagePath"=expand:"C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng]
"ImagePath"=expand:"C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\DAL\\jhi_service.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\LMS\\LMS.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS]
"ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc]
"ImagePath"=expand:"C:\\Program Files\\Common Files\\Intel\\WirelessCommon\RegSrvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Management Engine Components\\Uninstall\\setup.exe 
-uninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Processor Graphics\\Uninstall\\setup.exe -uninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\OpenCL SDK\\2.0\\Uninstall\\setup.exe -uninstall"


stay tuned
Stefan Kanthak


PS: if you want to catch such beginners errors place a copy of
    <http://home.arcor.de/skanthak/download/SENTINEL.EXE> as
    "%SystemDrive%\PROGRA.EXE" on your Windows system(s).

    If running on "WinSta0" SENTINEL.EXE displays a message box
    listing the pathname of the executed process, its command line
    and the working directory.

    If you want to get rid of the message box "Rogue program ..."
    displayed during login add the following registry entry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain]
    "RogueProgramName"="Yes"


    But there are more directories like "%ProgramFiles%"
    alias "%SystemDrive%\Program Files"; start a command prompt
    and run the following commands to list them:

    For /D /R "%SystemRoot%" %X In ("* *") Do @Echo %X
    For /D /R "%ProgramFiles%" %X In ("* *") Do @Echo %X
    If Defined ProgramFiles(x86) For /D /R "%ProgramFiles(x86)%" %X In ("* *") Do @Echo %X

    In case that "%CommonProgramFiles%"/"%CommonProgramFiles(x86)%"
    are no subdirectories of %ProgramFiles%"/%ProgramFiles(x86)%" run
    the commands for these directories too.


    And: execution of command lines like
    %SystemRoot%\System32\REGSVR32.EXE %ProgramFiles%\...\<filename>[.DLL]
    %SystemRoot%\System32\RUNDLL32.EXE %ProgramFiles%\...\<filename>[.DLL],<Entry>
    will run a rogue DLL %SystemDrive%\PROGRA.DLL.

    To catch the latter, place a copy of
    <http://home.arcor.de/skanthak/download/SENTINEL.DLL> as
    "%SystemDrive%\PROGRA.DLL" on your Windows system(s).

    If running on "WinSta0" SENTINEL.DLL displays a message box
    listing the pathname of the executed DLL, the pathname of the
    calling process, its command line and the working directory.

    Test it with RUNDLL32.EXE SENTINEL.DLL,Entry


    For completeness sake: run the batch script
    <http://home.arcor.de/skanthak/download/SENTINEL.CMD>
    (with administrative rights) to place SENTINEL.{EXE,DLL} as
    %SystemDrive%\PROGRA.{EXE,DLL}, "%ProgramFiles%\COMMON.{DLL,EXE}",
    "%ProgramFiles(x86)%\COMMON.{DLL,EXE}" and SENTINEL.EXE with the
    appropiate filename next to every directory with space(s) in its
    name.

    The latter is necessary to catch command lines like
    "C:\PROGRA~1\Common Files\...\<filename>[.<extension>]" or
    "C:\PROGRA~1\COMMON~1\Microsoft Shared\...\<filename>[.<extension>]" etc.


  By Date           By Thread  

Current thread:
  • Defense in depth -- the Microsoft way (part 6): beginner's errors, QA sound asleep or out of sight! Stefan Kanthak (Aug 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault