Defense in depth -- the Microsoft way (part 30): on exploitable Win32 functions

From: Stefan Kanthak <stefan.kanthak@nexgo.de>
To: bugtraq@securityfocus.com
Cc: fulldisclosure@seclists.org
Subject: Defense in depth -- the Microsoft way (part 30): on exploitable Win32 functions
Date:


Hi @ll,

since Microsoft won't -- despite (hopefully not only) my constant
nagging and quite some bug reports about unquoted command lines
for more than a dozen years now -- fix the BRAINDEAD behaviour
of Windows' CreateProcess*() functions to play try&error instead
of returning on error to their caller when interpreting their
lpCommandLine argument which lets the BLOODY BEGINNER's error
known as CWE-428 <https://cwe.mitre.org/data/definitions/428.html>
go undetected, I'll show some methods including the preconditions
on how to exploit it, i.e. execute a file of my choice.

JFTR: none of these methods should be new or unknown to any
      Windows administrator, developer or QA engineer.-P

JFTR: in Microsoft's own terms these methods don't qualify as
      security vulnerabilities due to their precondition(s).


#1. Preconditions:

    * a file in %SystemDrive%\ which can be opened with the
      access rights GENERIC_WRITE | DELETE and the attribute
      FILE_FLAG_BACKUP_SEMANTICS;

    * a user account holding the privilege SE_RESTORE_NAME.

    <https://msdn.microsoft.com/en-us/library/aa365543.aspx>

    Exploit:

    handle = CreateFile(L"C:\\...", GENERIC_WRITE | DELETE,
                        ..., NULL, OPEN_EXISTING,
                        FILE_FLAG_BACKUP_SEMANTICS, NULL);
    SetFileShortName(handle, L"PROGRAM.EXE)


#2. Preconditions:

    * an empty file in %SystemDrive%\ which can be opened with
      the access rights FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES
      and the attribute FILE_FLAG_OPEN_REPARSE_POINT;

    * a user account holding the privileges SE_RESTORE_NAME and
      SE_CREATE_SYMBOLIC_LINK_NAME.

    Exploit:

    handle = CreateFile(L"C:\\...",
                        FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES,
                        ..., NULL, OPEN_EXISTING,
                        FILE_FLAG_OPEN_REPARSE_POINT, NULL);
    DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT, ...


Now wait until some program written by a dimwit of a developer
who (and of course his/her supervisors and QA too) never heard
of "long" filenames (which means they must have lived beneath
a rock for more than 20 years) executes your C:\PROGRAM.EXE

20+ years old: <https://support.microsoft.com/kb/102739/en-us>
               <https://support.microsoft.com/kb/134425/en-us>
~20 years old: <https://support.microsoft.com/kb/170669/en-us>
10+ years old: <https://support.microsoft.com/kb/812486/en-us>


Primary candidates: Apple iTunes, Microsoft .NET Framework 3.5
SP1 x64 (as preinstalled on Windows 7 x64 and Windows 2008 R2 AD
controllers), WHQL-certified drivers from HP, ALPS[*], Realtek[*],
Samsung, Synaptics, ... (many of those are available per Windows
Update and the Microsoft Update Catalog), MANY games, ...


As Microsoft's Aaron Margosis wrote last November pointing out
this BLOODY BEGINNER's error is unnessarily alarmist:
<http://blogs.msdn.com/b/aaron_margosis/archive/2014/11/14/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-unqu
oted-service-paths.aspx>

Of course all non-alarmists know for sure that the above named
preconditions don't exist anywhere.-(


What but REALLY alarmist is: companies like Apple release version
after version of their products/drivers^Wcrapware without the
TRIVIAL fix for this well-known vulnerability, even when notified
over and over again!


"Defense in depth"?
Nope!

"Software engineering"?
Nope!

BRAINDEAD behaviour of Windows CreateProcess*() functions?
Yes, of course, always!

Taking care for the safety and security of their customers systems?
Nope!


stay tuned (and far away from crapware!)
Stefan Kanthak

[*] see <https://support.microsoft.com/library/images/2647325.png>





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.