Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability
Vulnerability: DLL Hijacking / DLL Side Loading

Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-machine-debug-manager-mdm-insecure-library-loading-allows-code-execution/

------------------------
ABOUT
------------------------

The Machine Debug Manager, mdm.exe, is a program that provides support for
program debugging.

Machine Debug Manager (mdm.exe) is known to be either installed standalone,
or is part of / packaged with the following:

------------------------
Products
------------------------

Riven (Red Orb)
Windows 2000 Professional Debug/Checked Build (Microsoft)
SDKs and Tools (Microsoft)
Visual C++ (Microsoft)
BackOffice Server 2000 (Microsoft)
Visual Studio 6.0 (Microsoft)
MSDN Disc 2466 (Microsoft)
MSDN Disc 1550 (Microsoft)
Windows (Microsoft)
Servers (Microsoft)
Windows 2000 (Microsoft)
Windows 2000 Professional (Microsoft)
SQL Server (Microsoft)
Windows 2000 Professional - Dell Reinstallation CD (Microsoft)
Visual Studio (Microsoft)
Office (Microsoft)
Windows 2000 - Dell Reinstallation CD (Microsoft)
Platforms, Servers, Applications (Microsoft)
Platforms (Microsoft)
Applications, Platforms, Servers (Microsoft)

Note: the list above is not exhaustive.

------------------------
DETAILS
------------------------

During the testing, it was found that MDM is affected with DLL hijacking
vulnerability. The following conditions are required to exploit MDM DLL
hijacking vulnerability:

1. MDM (mdm.exe) is installed
2. Disable script debugging (Other) option is not selected (IE -> Internet
Options -> Advanced)

Tested on Windows 7 SP1, when MDM is installed and enabled on the system,
it was seen to be triggered via multiple Windows applications, as well as
via Windows Administrative service console(s) (*.msc).

When mdm.exe is triggered, it looks for a specific DLL file - msdbgen.dll -
in directories defined in the PATH env variable. It an attacker and / or a
malicious user can place a specially crafted DLL file in any of these
directories, then it is possible to execute arbitrary code with the
privileges of target user. This can potentially result in the attacker
achieving complete control of the affected system.

Exploitation could be performed via multiple Windows applications. A few
scenarios are listed:

------------------------
Exploitation environment:
------------------------

a. Windows 7 SP1
b. Folder - C:\app-folder-RW\ - configured in system PATH env variable
c. Generate calc.exe payload as dll file
msfvenom ap windows/exec cmd=calc.exe af dll ao msdbgen.dll
d. This dll is placed in C:\app-folder-RW\


------------------------
Test Scenario 1 - Microsoft Windows built-in Administrative Service
Consoles
------------------------

This behavior can be exploited even if the target user (administrator /
privileged user) does not run any software.

When the target user (administrator) opens certain Window built-in
administrative tools, mdm.exe is triggered. Some of these *.msc, that
resulted in loading our malicious dll and successfully executed code are:

Services - services.msc
Performance Management - perfmon.msc
Printer Management - printmanagement.msc
Group Policy Editor - gpedit.msc
Resultant Set of Policies - rsop.msc
Component Services - comexp.msc -> triggers services.msc

-> calc opens

In most cases, once the administrator opens up any of the above listed
Windows management service consoles, our code is executed, and then the
service consoles open up with a slight delay. No crashes, easy privilege
escalation and continued persistence without raising flags, eh.

------------------------
Test Scenario 2 - MS Office 2013 SP1 (MS Access)
------------------------

a)
Open MS Access 2013
Menu -> External Data Menu
Select any option - Import Text File / Import XML File etc
-> calc opens

b)
Open MS Access 2013
Create a Table
Export to PDF or Export to Table
-> calc opens

------------------------
Test Scenario 3 - MS Office 2013 SP1 (Excel/Access/Word/others)
------------------------

Open any of the MS Office applications
Menu -> Accounts -> About <app> -> Tech Support
-> calc opens

------------------------
Test Scenario 4.1 - MS HTML Help files (chm)
------------------------

Open any chm file
-> calc opens

------------------------
Test Scenario 4.2 - Product Help Manual Windows (chm)
------------------------

Open any Windows software
Open its Help / Support / Manual / Documentation option
-> calc opens

------------------------

+++++