Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability Vulnerability: DLL Hijacking / DLL Side Loading Advisory URL: https://ipositivesecurity.com/2017/06/15/microsoft-machine-debug-manager-mdm-insecure-library-loading-allows-code-execution/ ------------------------ ABOUT ------------------------ The Machine Debug Manager, mdm.exe, is a program that provides support for program debugging. Machine Debug Manager (mdm.exe) is known to be either installed standalone, or is part of / packaged with the following: ------------------------ Products ------------------------ Riven (Red Orb) Windows 2000 Professional Debug/Checked Build (Microsoft) SDKs and Tools (Microsoft) Visual C++ (Microsoft) BackOffice Server 2000 (Microsoft) Visual Studio 6.0 (Microsoft) MSDN Disc 2466 (Microsoft) MSDN Disc 1550 (Microsoft) Windows (Microsoft) Servers (Microsoft) Windows 2000 (Microsoft) Windows 2000 Professional (Microsoft) SQL Server (Microsoft) Windows 2000 Professional - Dell Reinstallation CD (Microsoft) Visual Studio (Microsoft) Office (Microsoft) Windows 2000 - Dell Reinstallation CD (Microsoft) Platforms, Servers, Applications (Microsoft) Platforms (Microsoft) Applications, Platforms, Servers (Microsoft) Note: the list above is not exhaustive. ------------------------ DETAILS ------------------------ During the testing, it was found that MDM is affected with DLL hijacking vulnerability. The following conditions are required to exploit MDM DLL hijacking vulnerability: 1. MDM (mdm.exe) is installed 2. Disable script debugging (Other) option is not selected (IE -> Internet Options -> Advanced) Tested on Windows 7 SP1, when MDM is installed and enabled on the system, it was seen to be triggered via multiple Windows applications, as well as via Windows Administrative service console(s) (*.msc). When mdm.exe is triggered, it looks for a specific DLL file - msdbgen.dll - in directories defined in the PATH env variable. It an attacker and / or a malicious user can place a specially crafted DLL file in any of these directories, then it is possible to execute arbitrary code with the privileges of target user. This can potentially result in the attacker achieving complete control of the affected system. Exploitation could be performed via multiple Windows applications. A few scenarios are listed: ------------------------ Exploitation environment: ------------------------ a. Windows 7 SP1 b. Folder - C:\app-folder-RW\ - configured in system PATH env variable c. Generate calc.exe payload as dll file msfvenom ap windows/exec cmd=calc.exe af dll ao msdbgen.dll d. This dll is placed in C:\app-folder-RW\ ------------------------ Test Scenario 1 - Microsoft Windows built-in Administrative Service Consoles ------------------------ This behavior can be exploited even if the target user (administrator / privileged user) does not run any software. When the target user (administrator) opens certain Window built-in administrative tools, mdm.exe is triggered. Some of these *.msc, that resulted in loading our malicious dll and successfully executed code are: Services - services.msc Performance Management - perfmon.msc Printer Management - printmanagement.msc Group Policy Editor - gpedit.msc Resultant Set of Policies - rsop.msc Component Services - comexp.msc -> triggers services.msc -> calc opens In most cases, once the administrator opens up any of the above listed Windows management service consoles, our code is executed, and then the service consoles open up with a slight delay. No crashes, easy privilege escalation and continued persistence without raising flags, eh. ------------------------ Test Scenario 2 - MS Office 2013 SP1 (MS Access) ------------------------ a) Open MS Access 2013 Menu -> External Data Menu Select any option - Import Text File / Import XML File etc -> calc opens b) Open MS Access 2013 Create a Table Export to PDF or Export to Table -> calc opens ------------------------ Test Scenario 3 - MS Office 2013 SP1 (Excel/Access/Word/others) ------------------------ Open any of the MS Office applications Menu -> Accounts -> About -> Tech Support -> calc opens ------------------------ Test Scenario 4.1 - MS HTML Help files (chm) ------------------------ Open any chm file -> calc opens ------------------------ Test Scenario 4.2 - Product Help Manual Windows (chm) ------------------------ Open any Windows software Open its Help / Support / Manual / Documentation option -> calc opens ------------------------ +++++