what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Defense In Depth The Microsoft Way Part 3

Defense In Depth The Microsoft Way Part 3
Posted Jun 17, 2013
Authored by Stefan Kanthak

This is a long advisory detailing a lot of back and forth between Microsoft and a researcher in regards to thousands of binary planting issues.

tags | advisory
SHA-256 | 4e3fd4327955e3fdb8ef5db89ace7b235c3daf12236f829844f610a702d23c65

Defense In Depth The Microsoft Way Part 3

Change Mirror Download
Hi @ll,

many (if not most of the) Windows system utilities and system routines
(including the kernel and its subsystems) as well as many user programs
(including the "shell" Windows Explorer, Windows Media Player, Internet
Explorer, Microsoft Office, etc.) load libraries/satellites at runtime
via filenames read from registry or .INI entries (see examples 0 to 13
below).

Unfortunately, MANY of the references (about 5500 in Windows 7 x64 SP1
and about 4700 in Windows 7 x86 SP1) to libraries/satellites are made
just via their filename, without their (well-known!) fully qualified
path.

Every application/utility/system routine that uses one of these system
routines/subsystems, but has not taken precautions against loading DLLs
and/or satellites from CWD (see <http://support.microsoft.com/kb/2264107>
and <http://support.microsoft.com/kb/2269637>) is thus susceptible to
"binary planting" attacks.


The VERY simple fix/mitigation: ALWAYS use the (well-known!) fully
qualified path to all the libraries/satellites you reference!


JFTR: almost all of the registry entries listed in the examples below
can be specified as (typically) "%SystemRoot%\System32\<library>.dll"
with the REG_EXPAND_SZ data type.


Timeline:

2004-08-23 informed vendor about still unfixed principal security
flaws due to unqualified filenames and Windows' EXE/DLL
search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
2001, and XP SP2 was supposed to eliminate many of the errors
Microsoft made in previous versions of NT.

2004-08-25 vendor replies "no vulnerabilities", but forwards report
to product groups/teams

2004-09-02 vendor still wont see vulnerabilities, asks for POC(s)

2008-05-30 vendors publishes
<http://technet.microsoft.com/security/advisory/953818>

2009-04-15 vendor publishes <http://support.microsoft.com/kb/959426>
alias
<http://technet.microsoft.com/security/bulletin/ms09-015>
plus
<http://technet.microsoft.com/security/bulletin/ms09-014>

2010-08-23 vendor publishes
<http://technet.microsoft.com/security/advisory/2269637>
and updates it over and over again since then

2010-08-24 asked vendor in response to advisory 2269637 what the
product groups/teams had done in the past 6 years since
my initial report to eliminate this attack vector

2010-09-04 compiled an exhaustive list with the about 5500(!)
unqualified filenames (and some more errors) in the
registry of Windows 7 x64 and sent it to vendor;
<http://home.arcor.de/skanthak/download/W7_ERROR.INF> and
<http://home.arcor.de/skanthak/download/W7_ISSUE.INF> are
the lists with major/minor errors found in the registry
of Windows 7 x86 SP1

2010-09-11 asked vendor when to expect results from report sent in
2004, and when to expect a properly/thoroughly engineered
Windows with "defense in depth" REALLY applied [*]

2010-09-13 vendor replied (to question from 2010-08-24): we have no
feedback from the product teams

2011-09-13 vendor publishes <http://support.microsoft.com/kb/2570947>
alias
<http://technet.microsoft.com/security/bulletin/ms11-071>

2011-12-28 vendor informs that the BSOD from example 3 was filed as a
stability bug against Windows 8

2012-05-08 vendor publishes<http://support.microsoft.com/kb/2686509>
alias
<http://technet.microsoft.com/security/bulletin/ms12-034>


stay tuned
Stefan

[*] for (german) Windows XP Professional I provide the script
<http://home.arcor.de/skanthak/download/XP_FIXIT.INF> that corrects
the errors in the registry which remain after fixing the scripts
\i386\DMREG.INF and \i386\HIVE*.INF and the errors in installed
*.theme and generated DESKTOP.INI files which remain after fixing
the \i386\*.TH_ files (usage instructions included in the script).

PS: if you missed part 1 and/or part 2, see
<http://seclists.org/fulldisclosure/2013/May/107> and
<http://seclists.org/fulldisclosure/2013/Jun/6>


Example 0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\xxxxxxxx]
"Layout File"="KBDxyz.DLL"

Fixed with <http://support.microsoft.com/kb/2686509> alias
<http://technet.microsoft.com/security/bulletin/ms12-034>

JFTR: Microsoft started their "trustworthy computing" initiative in
2001; 11 years later they still have loads of silly security
holes due to their sloppy attitude!


Example 1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
"Userinit"="userinit.exe"

Fixed with <http://support.microsoft.com/kb/269049> alias
<http://technet.microsoft.com/security/bulletin/ms00-052>

JFTR: the vulnerability with "Userinit"="userinit.exe" was introduced
when <http://support.microsoft.com/kb/249321> was applied.


Example 2: NETSH.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh]
"<name>"="<library>.dll"
... some 20 more entries ...

POC: download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> or
<http://www.binaryplanting.com/demo/program_manager_group_converter/imm.dll>
and store it with the name of one of the DLLs listed in the above
registry key (or add a registry entry "0"="SENTINEL.DLL" resp.
"0"="imm.dll" there); copy the 32-bit version of NETSH.EXE into
a second directory; open a command prompt, "cd" into the directory
where you downloaded the DLL; run the copy of NETSH.EXE from the
command prompt and admire the application popup from the DLL.-)

On 64-bit systems download
<http://www.binaryplanting.com/demo/program_manager_group_converter_64/imm.dll>
and proceed like above.

JFTR: if you think "ouch! how complicated" please check whether you've
ever copied utilities like NETSH.EXE to another location, for
instance your \\%LOGONSERVER%\NETLOGON\ share, and run them from
there during logon (see <http://support.microsoft.com/kb/264061>
and <http://support.microsoft.com/kb/306850>).

"Once bitten twice shy"? Not in Redmond, not at Microsoft!


Example 3: the font drivers of the Win32 (kernel) subsystem

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers]
"Adobe Type Manager"="atmfd.dll"

JFTR: change this entry to =expand:"%SystemRoot%\\System32\\atmfd.dll",
then start another user session (via fast user switching or RDP)
and admire the BSOD "STOP 0x50 PAGE_FAULT_IN_NONPAGEABLE_AREA" in
CSRSS.EXE due to a silly programming error in the code evaluating
the environment variable %SystemRoot%. OUCH!

"Adobe Type Manager"="C:\\Windows\\System32\\atmfd.dll" but works.


Example 4: the SPOOLER

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Print Processors\winprint]
"Driver"="winprint.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port]
"Driver"="localspl.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Shared Fax Monitor]
"Driver"="FXSMON.DLL"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port]
"Driver"="tcpmon.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor]
"Driver"="usbmon.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\WSD Port]
"Driver"="WSDMon.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\Internet Print Provider]
"Name"="inetpp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services]
"Name"="win32spl.dll"

JFTR: when these registry entries are changed to
"<...>"=expand:"%SystemRoot%\\System32\\<library>.dll"
the SPOOLER silently fails: no port monitors and no print providers
are loaded, but no event log entry is written and no other indication
of the fault given to the user!

"<...>"="C:\\Windows\\System32\\<library>.dll" but works.


Example 5: the RPC service/system

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols]
"ncacn_ip_tcp"="rpcrt4.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions]
"NdrOleExtDll"="Ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService]
"9"="secur32.dll"


Example 6: the cryptography subsystem

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="credssp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (Microsoft Generic Profile)]
"80000001"="msclmd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (NIST SP 800-73 [PIV])]
"80000001"="msclmd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"Image Path"="basecsp.dll"

... some 100 entries more ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{guidguid-guid-guid-guid-guidguidguid}]
"$DLL"="WINTRUST.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\<oid>]
"$DLL"="WINTRUST.DLL"


Example 7: OLE and COM

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42071714-76d4-11d1-8b24-00a0c9068ff3}\InprocServer32]
@="deskpan.dll"

This ONE was fixed with <http://support.microsoft.com/kb/2570947>
alias <http://technet.microsoft.com/security/bulletin/ms11-071>

The following HUNDREDS are still lurking around and waiting to be exploited!

JFTR: <http://msdn.microsoft.com/library/ms691424.aspx> says:

| LocalServer Specifies the full path to a 16-bit local server application.
~~~~~~~~~
| LocalServer32 Specifies the full path to a 32-bit local server application.
~~~~~~~~~
<http://msdn.microsoft.com/library/ms682390.aspx> says:

| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| InprocServer32
| (Default) = path
~~~~
<http://msdn.microsoft.com/library/ms694328.aspx> says:

| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
| {CLSID}
| InprocServer
| (Default) = path
~~~~
At Microsoft, we dont read our own documentation, we dont care!

POC: download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> or
<http://www.binaryplanting.com/demo/program_manager_group_converter/imm.dll>
and store it as DPNET.DLL; copy the 32-bit version of WSCRIPT.EXE
or CSCRIPT.EXE into a second directory; create a file POC.VBS with
the following single line: CreateObject("DirectPlay8.Peer.1")
open a command prompt, "cd" into the directory where you downloaded
the DLL; run the copy of WSCRIPT.EXE or CSCRIPT.EXE with POC.VBS as
argument from the command prompt and admire the application popup
from the DLL.-)

JFTR: you can use any other program which instanciates COM objects instead
of the Windows Script Host!


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000300-0000-0000-C000-000000000046}\InprocServer32]
@="ole32.dll"

... some 100 entries more ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\InprocServer32]
@="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer]
@="<program>.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer32]
@="<program>.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\InProcHandler32]
@="ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC5DA001-7CD4-11D2-8ED9-D8C857F98FE3}\Server]
@="mscorld.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC9F9AE-E87A-3252-8E25-B22423A40065}\InprocServer32]
@="mscoree.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC]
"DLL"="MSDTCPRX.DLL"

... some 100 entries more ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\x.y\z\win16]
@="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\i.j\k\win32]
@="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\a.b\c\win64]
@="<library>.dll"


Example 8: the group policies' client side extensions

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{guidguid-guid-guid-guid-guidguidguid}]
"DisplayName"="@<library>.dll,-100"
"DllName"=expand:"<library>.dll"


Example 9: directplay

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay]
"Gateway"="dpnhpast.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay]
"Path"="dpwsockx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Modem Connection For DirectPlay]
"Path"="dpmodemx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Serial Connection For DirectPlay]
"Path"="dpmodemx.dll"


Example 10: misc.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"IGDSearcherDLL"="bitsigd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin]
"WUSearchLibrary"="chkwudrv.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemUtilities]
"IfsUtilExtension"="ifsutilx.dll"


Example 11: TS Client

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\TransportExtensions]
"Gateway"="aaclient.dll"

[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\<subkey>]
"<name>"="<library>.dll"
...

[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\<connection>\Addins\<subkey>]
"<name>"="<library>.dll"
...


Example 12: MMC.EXE, the "Microsoft Management Console"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{guidguid-guid-guid-guid-guidguidguid}]
"ModuleName"="<library>.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{guidguid-guid-guid-guid-guidguidguid}]
"DescriptionIndirect"="@<library>.dll,-123"
"NameStringIndirect"="@<library>.dll,-123"


Example 13: DESKTOP.INI (folder customization), *.theme, *.LNK

The shell caches the strings referenced via ="@<library.dll>,-123"
in DESKTOP.INI and *.theme files, *.LNK etc. as well as the registry
below the following registry keys:

[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache]
"<...>.dll,-123"="...some string..."

[HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache]
"<...>.dll,-123"="...some string..."

Look for yourself which files are loaded without fully qualified path!

JFTR: ONLY IF resource DLLs are loaded with LoadLibraryEx() and the
flag LOAD_LIBRARY_AS_DATAFILE is set (see
<http://msdn.microsoft.com/en-us/ms684179>) there will be no
call to the DllMain entry point.


Counterexample:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\CodePage]
"<cpid>"="c_<cpid>.nls"

The filenames specified here get prefixed with %SystemRoot%\System32\
before their use.


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close