Full Disclosure mailing list archives
.diagcab directory traversal leading to arbitrary code execution
From: Imre Rad <radimre83 () gmail com>
Date: Wed, 15 Jan 2020 09:21:50 +0100
I identified a flaw in the implementation of Microsoft's Troubleshooter technology that could lead to remote code execution if a crafted .diagcab file is opened by the victim. The exploit leverages a rogue webdav server to trick MSDT to drop files to attacker controller locations on the file system. If you see the following pattern in any Windows applications, they might be vulnerable too: #define MAXPATH 0x104 TCHAR attackerControlledSourcePath[MAXPATH]; // this is the "user input" TCHAR tempDirectory[MAXPATH]; GetTempPathW(MAXPATH, tempDirectory); TCHAR allFilesFromAttackerControlledSourcePath[MAXPATH]; StringCchPrintfW(allFilesFromAttackerControlledSourcePath, MAXPATH, L"%s\\*.*", AttackerControlledSourcePath); hFind = FindFirstFile(allFilesFromAttackerControlledSourcePath, &FindFileData); do { TCHAR srcFile[MAXPATH]; TCHAR dstFile[MAXPATH]; StringCchPrintfW(srcFile, MAXPATH, L"%s\\%s", attackerControlledSourcePath, FindFileData.cFileName); StringCchPrintfW(dstFile, MAXPATH, L"%s\\%s", tempDirectory, FindFileData.cFileName); CopyFileW(srcFile, dstFile, TRUE); while (FindNextFile(hFind, &FindFileData) != 0);FindClose(hFind); The thing is, the FindFirstFile/FindNextFile APIs could return file entries with path separator character in them; I implemented a rogue webdav server to demonstrate this: C:\Projects\diagcab>dir \\127.0.0.1@80\DavWWWRoot\package Volume in drive \\127.0.0.1@80\DavWWWRoot has no label. Volume Serial Number is 0000-0000 Directory of \\127.0.0.1@80\DavWWWRoot\package 2017. 07. 12. 11:10 <DIR> . 2017. 07. 12. 11:10 <DIR> .. 2017. 07. 12. 10:48 27 648 ..\..\..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.exe 1 File(s) 27 648 bytes 2 Dir(s) 251 292 504 064 bytes free Microsoft refused to fix this issue, so it is recommended to stay away from this file type. You can find the full write up and the online demo project here: https://medium.com/@radimre83/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd And the source files here: https://www.github.com/irsl/microsoft-diagcab-rce-poc/ Imre _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- .diagcab directory traversal leading to arbitrary code execution Imre Rad (Jan 17)