Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Defense in depth -- the Microsoft way (part 3)
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sun, 16 Jun 2013 22:04:30 +0200

Hi @ll,

many (if not most of the) Windows system utilities and system routines
(including the kernel and its subsystems) as well as many user programs
(including the "shell" Windows Explorer, Windows Media Player, Internet
Explorer, Microsoft Office, etc.) load libraries/satellites at runtime
via filenames read from registry or .INI entries (see examples 0 to 13
below).

Unfortunately, MANY of the references (about 5500 in Windows 7 x64 SP1
and about 4700 in Windows 7 x86 SP1) to libraries/satellites are made
just via their filename, without their (well-known!) fully qualified
path.

Every application/utility/system routine that uses one of these system
routines/subsystems, but has not taken precautions against loading DLLs
and/or satellites from CWD (see <http://support.microsoft.com/kb/2264107>
and <http://support.microsoft.com/kb/2269637>) is thus susceptible to
"binary planting" attacks.


The VERY simple fix/mitigation: ALWAYS use the (well-known!) fully
qualified path to all the libraries/satellites you reference!


JFTR: almost all of the registry entries listed in the examples below
can be specified as (typically) "%SystemRoot%\System32\<library>.dll"
with the REG_EXPAND_SZ data type.


Timeline:

2004-08-23    informed vendor about still unfixed principal security
              flaws due to unqualified filenames and Windows' EXE/DLL
              search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
      2001, and XP SP2 was supposed to eliminate many of the errors
      Microsoft made in previous versions of NT.

2004-08-25    vendor replies "no vulnerabilities", but forwards report
              to product groups/teams

2004-09-02    vendor still wont see vulnerabilities, asks for POC(s)

2008-05-30    vendors publishes
              <http://technet.microsoft.com/security/advisory/953818>

2009-04-15    vendor publishes <http://support.microsoft.com/kb/959426>
              alias
              <http://technet.microsoft.com/security/bulletin/ms09-015>
              plus
              <http://technet.microsoft.com/security/bulletin/ms09-014>

2010-08-23    vendor publishes
              <http://technet.microsoft.com/security/advisory/2269637>
              and updates it over and over again since then

2010-08-24    asked vendor in response to advisory 2269637 what the
              product groups/teams had done in the past 6 years since
              my initial report to eliminate this attack vector

2010-09-04    compiled an exhaustive list with the about 5500(!)
              unqualified filenames (and some more errors) in the
              registry of Windows 7 x64 and sent it to vendor;
              <http://home.arcor.de/skanthak/download/W7_ERROR.INF> and
              <http://home.arcor.de/skanthak/download/W7_ISSUE.INF> are
              the lists with major/minor errors found in the registry
              of Windows 7 x86 SP1

2010-09-11    asked vendor when to expect results from report sent in
              2004, and when to expect a properly/thoroughly engineered
              Windows with "defense in depth" REALLY applied [*]

2010-09-13    vendor replied (to question from 2010-08-24): we have no
              feedback from the product teams

2011-09-13    vendor publishes <http://support.microsoft.com/kb/2570947>
              alias
              <http://technet.microsoft.com/security/bulletin/ms11-071>

2011-12-28    vendor informs that the BSOD from example 3 was filed as a
              stability bug against Windows 8

2012-05-08    vendor publishes<http://support.microsoft.com/kb/2686509>
              alias
              <http://technet.microsoft.com/security/bulletin/ms12-034>


stay tuned
Stefan

[*] for (german) Windows XP Professional I provide the script
    <http://home.arcor.de/skanthak/download/XP_FIXIT.INF> that corrects
    the errors in the registry which remain after fixing the scripts
    \i386\DMREG.INF and \i386\HIVE*.INF and the errors in installed
    *.theme and generated DESKTOP.INI files which remain after fixing
    the \i386\*.TH_ files (usage instructions included in the script).

PS: if you missed part 1 and/or part 2, see
    <http://seclists.org/fulldisclosure/2013/May/107> and
    <http://seclists.org/fulldisclosure/2013/Jun/6>


Example 0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\xxxxxxxx]
"Layout File"="KBDxyz.DLL"

Fixed with <http://support.microsoft.com/kb/2686509> alias
<http://technet.microsoft.com/security/bulletin/ms12-034>

JFTR: Microsoft started their "trustworthy computing" initiative in
      2001; 11 years later they still have loads of silly security
      holes due to their sloppy attitude!


Example 1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
"Userinit"="userinit.exe"

Fixed with <http://support.microsoft.com/kb/269049> alias
<http://technet.microsoft.com/security/bulletin/ms00-052>

JFTR: the vulnerability with "Userinit"="userinit.exe" was introduced
      when <http://support.microsoft.com/kb/249321> was applied.


Example 2: NETSH.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh]
"<name>"="<library>.dll"
... some 20 more entries ...

POC: download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> or
     <http://www.binaryplanting.com/demo/program_manager_group_converter/imm.dll>
     and store it with the name of one of the DLLs listed in the above
     registry key (or add a registry entry "0"="SENTINEL.DLL" resp.
     "0"="imm.dll" there); copy the 32-bit version of NETSH.EXE into
     a second directory; open a command prompt, "cd" into the directory
     where you downloaded the DLL; run the copy of NETSH.EXE from the
     command prompt and admire the application popup from the DLL.-)

     On 64-bit systems download
     <http://www.binaryplanting.com/demo/program_manager_group_converter_64/imm.dll>
     and proceed like above.

JFTR: if you think "ouch! how complicated" please check whether you've
      ever copied utilities like NETSH.EXE to another location, for
      instance your \\%LOGONSERVER%\NETLOGON\ share, and run them from
      there during logon (see <http://support.microsoft.com/kb/264061>
      and <http://support.microsoft.com/kb/306850>).

      "Once bitten twice shy"? Not in Redmond, not at Microsoft!


Example 3: the font drivers of the Win32 (kernel) subsystem

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers]
"Adobe Type Manager"="atmfd.dll"

JFTR: change this entry to =expand:"%SystemRoot%\\System32\\atmfd.dll",
      then start another user session (via fast user switching or RDP)
      and admire the BSOD "STOP 0x50 PAGE_FAULT_IN_NONPAGEABLE_AREA" in
      CSRSS.EXE due to a silly programming error in the code evaluating
      the environment variable %SystemRoot%. OUCH!

      "Adobe Type Manager"="C:\\Windows\\System32\\atmfd.dll" but works.


Example 4: the SPOOLER

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Print Processors\winprint]
"Driver"="winprint.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port]
"Driver"="localspl.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Shared Fax Monitor]
"Driver"="FXSMON.DLL"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port]
"Driver"="tcpmon.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor]
"Driver"="usbmon.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\WSD Port]
"Driver"="WSDMon.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\Internet Print Provider]
"Name"="inetpp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services]
"Name"="win32spl.dll"

JFTR: when these registry entries are changed to
      "<...>"=expand:"%SystemRoot%\\System32\\<library>.dll"
      the SPOOLER silently fails: no port monitors and no print providers
      are loaded, but no event log entry is written and no other indication
      of the fault given to the user!

      "<...>"="C:\\Windows\\System32\\<library>.dll" but works.


Example 5: the RPC service/system

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols]
"ncacn_ip_tcp"="rpcrt4.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions]
"NdrOleExtDll"="Ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService]
"9"="secur32.dll"


Example 6: the cryptography subsystem

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="credssp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (Microsoft Generic Profile)]
"80000001"="msclmd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (NIST SP 800-73 [PIV])]
"80000001"="msclmd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"Image Path"="basecsp.dll"

... some 100 entries more ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{guidguid-guid-guid-guid-guidguidguid}]
"$DLL"="WINTRUST.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\<oid>]
"$DLL"="WINTRUST.DLL"


Example 7: OLE and COM

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42071714-76d4-11d1-8b24-00a0c9068ff3}\InprocServer32]
@="deskpan.dll"

This ONE was fixed with <http://support.microsoft.com/kb/2570947>
alias <http://technet.microsoft.com/security/bulletin/ms11-071>

The following HUNDREDS are still lurking around and waiting to be exploited!

JFTR: <http://msdn.microsoft.com/library/ms691424.aspx> says:

| LocalServer    Specifies the full path to a 16-bit local server application.
                               ~~~~~~~~~
| LocalServer32  Specifies the full path to a 32-bit local server application.
                               ~~~~~~~~~
      <http://msdn.microsoft.com/library/ms682390.aspx> says:

| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
|    {CLSID}
|       InprocServer32
|          (Default) = path
                       ~~~~
      <http://msdn.microsoft.com/library/ms694328.aspx> says:

| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
|    {CLSID}
|       InprocServer
|          (Default) = path
                       ~~~~
      At Microsoft, we dont read our own documentation, we dont care!

POC: download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> or
     <http://www.binaryplanting.com/demo/program_manager_group_converter/imm.dll>
     and store it as DPNET.DLL; copy the 32-bit version of WSCRIPT.EXE
     or CSCRIPT.EXE into a second directory; create a file POC.VBS with
     the following single line: CreateObject("DirectPlay8.Peer.1")
     open a command prompt, "cd" into the directory where you downloaded
     the DLL; run the copy of WSCRIPT.EXE or CSCRIPT.EXE with POC.VBS as
     argument from the command prompt and admire the application popup
     from the DLL.-)

JFTR: you can use any other program which instanciates COM objects instead
      of the Windows Script Host!


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000300-0000-0000-C000-000000000046}\InprocServer32]
@="ole32.dll"

... some 100 entries more ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\InprocServer32]
@="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer]
@="<program>.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer32]
@="<program>.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\InProcHandler32]
@="ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC5DA001-7CD4-11D2-8ED9-D8C857F98FE3}\Server]
@="mscorld.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC9F9AE-E87A-3252-8E25-B22423A40065}\InprocServer32]
@="mscoree.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC]
"DLL"="MSDTCPRX.DLL"

... some 100 entries more ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\x.y\z\win16]
@="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\i.j\k\win32]
@="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\a.b\c\win64]
@="<library>.dll"


Example 8: the group policies' client side extensions

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\GPExtensions\{guidguid-guid-guid-guid-guidguidguid}]
"DisplayName"="@<library>.dll,-100"
"DllName"=expand:"<library>.dll"


Example 9: directplay

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay]
"Gateway"="dpnhpast.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay]
"Path"="dpwsockx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Modem Connection For DirectPlay]
"Path"="dpmodemx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Serial Connection For DirectPlay]
"Path"="dpmodemx.dll"


Example 10: misc.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"IGDSearcherDLL"="bitsigd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin]
"WUSearchLibrary"="chkwudrv.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemUtilities]
"IfsUtilExtension"="ifsutilx.dll"


Example 11: TS Client

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\TransportExtensions]
"Gateway"="aaclient.dll"

[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\<subkey>]
"<name>"="<library>.dll"
...

[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\<connection>\Addins\<subkey>]
"<name>"="<library>.dll"
...


Example 12: MMC.EXE, the "Microsoft Management Console"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{guidguid-guid-guid-guid-guidguidguid}]
"ModuleName"="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{guidguid-guid-guid-guid-guidguidguid}]
"DescriptionIndirect"="@<library>.dll,-123"
"NameStringIndirect"="@<library>.dll,-123"


Example 13: DESKTOP.INI (folder customization), *.theme, *.LNK

The shell caches the strings referenced via ="@<library.dll>,-123"
in DESKTOP.INI and *.theme files, *.LNK etc. as well as the registry
below the following registry keys:

[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache]
"<...>.dll,-123"="...some string..."

[HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache]
"<...>.dll,-123"="...some string..."

Look for yourself which files are loaded without fully qualified path!

JFTR: ONLY IF resource DLLs are loaded with LoadLibraryEx() and the
      flag LOAD_LIBRARY_AS_DATAFILE is set (see
      <http://msdn.microsoft.com/en-us/ms684179>) there will be no
      call to the DllMain entry point.


Counterexample:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\CodePage]
"<cpid>"="c_<cpid>.nls"

The filenames specified here get prefixed with %SystemRoot%\System32\
before their use.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Defense in depth -- the Microsoft way (part 3) Stefan Kanthak (Jun 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]