Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Executable installers are vulnerable^WEVIL (case 38): Microsoft's Windows10Upgrade*.exe allows elevation of privilege

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 11 Aug 2016 19:54:48 +0200
Hi @ll,

the "Windows 10 Upgrade Assistant" Windows10Upgrade*.exe,
available via <http://go.microsoft.com/fwlink/?LinkId=822783> on
<https://www.microsoft.com/en-us/accessibility/windows10upgrade>, 
via <http://go.microsoft.com/fwlink/?LinkId=821403> on
<https://support.microsoft.com/en-us/help/12387/windows-10-update-history>,
and on <https://www.microsoft.com/en-us/software-download/windows10>,

1. is vulnerable DLL hijacking
   (see <https://cwe.mitre.org/data/definitions/426.html>
   and <https://cwe.mitre.org/data/definitions/427.html>
   for this WELL-KNOWN vulnerability);

2. creates an unsafe directory "C:\Windows10Upgrade\"
   (see <https://cwe.mitre.org/data/definitions/277.html>
   and <https://cwe.mitre.org/data/definitions/732.html>
   for this WELL-KNOWN vulnerability).

Both vulnerabilities allow arbitrary code execution WITH
elevation of privilege!


Ad 1.:
~~~~~~

Applications which are offered as downloads to unsuspecting users
will typically be saved into the users "Downloads" directory ...
which is but a digital minefield: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

On a fully patched Windows 7 SP1, Windows10Upgrade*.exe loads
and executes the following DLLs from its "application directory"
(which typically happens to be the users "Downloads" directory):
    cabinet.dll, version.dll, propsys.dll, ntmarta.dll,
    linkinfo.dll, ntshrui.dll, srvcli.dll, cscapi.dll,
    slc.dll, secur32.dll, netutils.dll

On other versions of Windows the list of DLLs may vary.

Since its application manifest specifies "requireAdministrator",
Windows10Upgrade*.exe runs with administrative privileges: all
DLLs it loads and executes run with administrative privileges
too, resulting in arbitrary code execution WITH elevation of
privilege.

If an attacker is able to place the DLLs named above per "drive-by
download" in the users "Downloads" directory this becomes a remote
code execution WITH elevation of privilege.


Ad 2.:
~~~~~~

Upon execution Windows10Upgrade*.exe creates the directory
"C:\Windows10Upgrade\", extracts its payload into it, creates
a shortcut "Windows 10 Upgrade Assistant" in the start menu and
finally starts "C:\Windows10Upgrade\Windows10UpgraderApp.exe"
with administrative privleges.

The (inherited) NTFS permissions of the directory
"C:\Windows10Upgrade\"

   D:AI(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;OICIID;0x1301bf;;;AU)

   BUILTIN\Administrators: full access
   NT AUTHORITY\SYSTEM:    full access
   BUILTIN\Users:          read, execute
   NT AUTHORITY\Authenticated Users: read, write, execute, delete

allow UNPRIVILEGED users to (over)write files in this directory,
for example using the following batch script (the "rogue"
binaries sentinel.exe and sentinel.dll are available from
<http://home.arcor.de/skanthak/sentinel.html>):

--- poc.cmd ---
:WAIT
@If Not Exist "%SystemDrive%\Windows10Upgrade" Goto :WAIT

Copy sentinel.exe "%SystemDrive%\Windows10Upgrade\HTTPHelper.exe"
Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\DXGIDebug.dll"
Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\MSACM32.drv"

For %%! In (mfc42u, odbc32, version, winhttp, webio, xmllite,
            cryptsp, rpcrtremote, api-ms-win-downlevel-shlwapi-l2-1-0,
            sxs, propsys, apphelp, secur32, uxtheme, msls31, oleacc,
            d2d1, dwrite, dxgi, dwmapi, dxgidebug, d3d11, d3d10warp,
            mlang, winmm, slc, iphlpapi, dnsapi, dhcpcsvc, midimap,
            wer) Do Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\%%!.dll"
--- EOF ---

"C:\Windows10Upgrade\Windows10UpgraderApp.exe" loads and executes
these DLLs and EXEs with administrative rights, again resulting in
elevation of privilege.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-08-03    vulnerability report sent to vendor

2016-08-05    vendor replies:
              "We won't be creating an MSRC case for this."

2016-08-11    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: