Hi @ll,

MARSAgentInstaller.exe, the Microsoft Azure Recovery Services Agent,
available via
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>
from
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>
is vulnerable: it allows arbitrary code execution via DLL hijacking,
resulting in escalation of privilege on standard installations of
Windows.

MARSAgentInstaller.exe version 2.0.9072.0, digitally signed 2017-04-05,
loads and executes (tested on a fully patched Windows 7 SP1) at least
the following DLLs from its application directory (typically
"%USERPROFILE%\Downloads\") instead Windows' system directory
"%SystemRoot%\System32\": Version.dll, CryptDll.dll, CryptSP.dll,
UXTheme.dll or DWMAPI.dll, Cabinet.dll

Thanks to the embedded application manifest which specifies
"requireAdministrator" this results in escalation of privilege on
standard installations of Windows!

See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
well-known beginner's error.

See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
   download
   <https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
   and save it as Cabinet.dll in your "Downloads" directory, then
   copy it as Version.dll, CryptDLL.dll, CryptSP.dll, UXTheme.dll
   and DWMAPI.dll;

2. visit
   <https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>,
   download
   <https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>
   and save it in your "Downloads" directory;

3. execute MARSAgentInstaller.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in step 1:
   PWNED!


Mitigation & detection:
~~~~~~~~~~~~~~~~~~~~~~~

* NEVER run executable installers from your "Downloads" directory;

* dump/avoid executable installers, use *.MSI instead!

* see <https://support.microsoft.com/en-us/kb/2533623>,
  <https://technet.microsoft.com/en-us/security/2269637> and
  <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

* also see <https://skanthak.homepage.t-online.de/verifier.html>
  and <https://skanthak.homepage.t-online.de/!execute.html>



stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-05-18    vulnerability report sent to vendor

2017-05-18    reply from vendor:
              "As described in the Windows library search order process,
               loading binaries from the application directory is by design."

2017-05-18    OUCH!
              The "application directory" can be removed from the library
              search path since Windows Vista and KB2533623!
              See <https://msdn.microsoft.com/en-us/library/hh310515.aspx>

2017-05-26    no reply from vendor since 7 days, report published