BugTraq
Defense in depth -- the Microsoft way (part 6): beginner's errors, QA sound asleep or out of sight! Aug 07 2013 12:11AM
Stefan Kanthak (stefan kanthak nexgo de)
Hi,

the installation of Microsofts much acclaimed "security tool"
EMET 3.0 (see <http://www.microsoft.com/emet> and
<http://support.microsoft.com/kb/2458544>) creates the following
VULNERABLE registry entry that runs a rogue program C:\PROGRA.EXE
(as well as "C:\Program Files.exe" on x64) in the security context
of the user logging on:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EMET Notifier"="C:\\Program Files\\EMET\\EMET_notifier.exe" ; x86
"EMET Notifier"="C:\\Program Files (x86)\\EMET\\EMET_notifier.exe" ; x64

JFTR: the vulnerability is caused by of one of Windows' documented
(see <http://msdn.microsoft.com/library/ms682425.aspx) idiosyncrasies:
CreateProcess() does NOT fail on calls with arguments like
C:\Program Files\Common Files\Microsoft Shared\<filename>[.<extension>]
but tries to execute
"C:\Progra.exe"
"C:\Program Files\Common.exe"
"C:\Program Files\Common Files\Microsoft.exe"
"C:\Program Files\Common Files\Microsoft Shared\<filename>[.<extension>]"
in turn to cover BEGINNERS ERRORS of incapable developers who are
unable to handle "long" pathnames with embedded spaces properly.

Whoever decided to implement this idiosyncrasy some 20 years ago was
but incapable too and did not recognize the consequences of this
idiosyncrasy^Widiotic behaviour!

The same beginners error is (for example) present in all versions
of "Microsoft Security Essentials" before 4.2 and was just recently
fixed with <https://support.microsoft.com/kb/2805304>:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Microsoft Security Client]
"UninstallString"="C:\\Program Files\\Microsoft Security Client\\Setup.exe /X"

Some of Microsoft's developers (and of course their QA) apparently
dont know their companies own documentation;
cf. <http://msdn.microsoft.com/library/ms997548.aspx>:

| The path you supply to Uninstall-String must be the complete
| command line used to carry out your uninstall program.

JFTR: "add/remove programs" of current versions of Windows (XP SP2
and newer) mitigates this error and inserts missing quotes after
the first "<filename>" or "<filename.extension>" and in front of
the string. This kludge is but NOT documented!

<https://support.microsoft.com/kb/2781197> resp.
<https://support.microsoft.com/kb/2823482> alias
<https://technet.microsoft.com/security/bulletin/ms13-034> fixed
another unquoted pathname in Windows Defender on Windows 8, while
<https://support.microsoft.com/kb/2847927> alias
<https://technet.microsoft.com/security/bulletin/ms13-058> fixed it
in Windows Defender on Windows 7 and Window Server 2008 R2, where
this beginners error allowed the execution of a rogue program
C:\PROGRA.EXE in the security context of "LocalSystem".

On a fully patched Windows 7 x64 take a look at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-9697
3a50e9e0}\Shell\Open\Command]
@=expand:"%ProgramFiles%\\Windows Sidebar\\sidebar.exe /showGadgets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\com
mand]
@="C:\\Program Files\\Windows Sidebar\\sidebar.exe /showGadgets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-
upnp-org:device:MediaServer:1\shell\Open Media
Player\command]
@=expand:"C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command]
@=expand:"%ProgramFiles%\\Windows Sidebar\\Sidebar.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@=expand:"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shel
l\open\command]
@="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideShow\Gadgets\{591248b9-ad35-4
7c2-b2fa-2d7c120adc79}]
"StartCommand"=expand:"%programFiles%\\Windows Media Player\\WMPSideShowGadget.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Keyboard\Native Media Players\WMP]
"ExePath"="C:\\Program Files\\Windows Media Player\\wmplayer.exe"

On a fully patched Windows XP take a look at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2]
"Player.Path"="C:\\Program Files\\Windows Media Player\\mplayer2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer]
"Player.Path"="C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\ope
n\command]
@="C:\\Program Files\\Windows Media Player\\wmplayer.exe /Open ""%L"""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\pla
y\command]
@="C:\\Program Files\\Windows Media Player\\wmplayer.exe /Play ""%L"""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command]
@="Rundll32.exe C:\\Program Files\\Common Files\\System\\OLE DB\\oledb32.dll,OpenDSLFile %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSInfo.Document\Shell\Open\Command]

@="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\MSInfo32.exe /msinfo_file %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\x-internet-signup\Shell\Open\comman
d]
@=expand:"%ProgramFiles%\\Internet Explorer\\Connection Wizard\\ISIGNUP.EXE %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\IM\Windows Messenger\shell\open\command]
@=expand:"%ProgramFiles%\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@="C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{068B0700-718C-11d0-8B1A-00A0
C91BC90E}\LocalServer32]
@="C:\\Program Files\\Netmeeting\\conf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E9BAF2D-7A79-11d2-9334-0000
F875AE17}\LocalServer32]
@="C:\\Program Files\\Netmeeting\\conf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472FDD38-C8CE-4417-9138-C437
B0445EBC}\LocalServer32]
@="C:\\Program Files\\Movie Maker\\moviemk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855B6281-563C-4462-8C6D-5326
CA1D4FE4}\LocalServer32]
@="C:\\Program Files\\MSN Gaming Zone\\Windows\\zclientm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C3ADF99-CCFE-11d2-AD10-00C0
4F72DD47}\LocalServer32]
@="C:\\Program Files\\Netmeeting\\conf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1031BAF-3039-4dd6-BC5E-522F
007DAF8B}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB1D8565-40E9-4616-984D-9846
5687E82C}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B69003B3-C55E-4b48-836C-BC59
46FC3B28}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBFCB14-3B21-491c-9E2A-B0F3
D50F83FD}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC20CB75-A981-460e-81D4-F06F
61B59247}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF66AFC9-C61D-404a-B535-64FB
F91D420F}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0B8F398-BB08-4298-87F0-3450
2693902E}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE
11939FB7}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3A614DC-ABE0-11d2-A441-00C0
4F795683}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB7199AB-79BF-11d2-8D94-0000
F875C541}\LocalServer32]
@="C:\\Program Files\\Messenger\\msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
"Exec"="%windir%\\Network Diagnostic\\xpnetdiag.exe"

OUCH!

"Long" pathnames containing spaces exist for about 20 years now in
Windows, EVERY developer should know how to use them properly, and
EVERY QA should check their proper use!

JFTR: unfortunately not only Microsoft's developers are incapable;
Mozilla Firefox and Thunderbird for example create the following
registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Mozilla Firefox 22.0 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Mozilla Thunderbird 17.0.8 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe"

Intel too can't afford developers past beginner level and a QA and
makes "privilege escalation" really easy:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3]
"ImagePath"=expand:"C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng]
"ImagePath"=expand:"C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\DAL\\jhi_service.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\LMS\\LMS.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS]
"ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc]
"ImagePath"=expand:"C:\\Program Files\\Common Files\\Intel\\WirelessCommon\RegSrvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{65153EA5-8B6E-43B6-857B-C6E4FC25798A}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Management Engine Components\\Uninstall\\setup.exe -uninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Processor Graphics\\Uninstall\\setup.exe -uninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{FCB3772C-B7D0-4933-B1A9-3707EBACC573}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\OpenCL SDK\\2.0\\Uninstall\\setup.exe -uninstall"

stay tuned
Stefan Kanthak

PS: if you want to catch such beginners errors place a copy of
<http://home.arcor.de/skanthak/download/SENTINEL.EXE> as
"%SystemDrive%\PROGRA.EXE" on your Windows system(s).

If running on "WinSta0" SENTINEL.EXE displays a message box
listing the pathname of the executed process, its command line
and the working directory.

If you want to get rid of the message box "Rogue program ..."
displayed during login add the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\D
ontShowMeThisDialogAgain]
"RogueProgramName"="Yes"

But there are more directories like "%ProgramFiles%"
alias "%SystemDrive%\Program Files"; start a command prompt
and run the following commands to list them:

For /D /R "%SystemRoot%" %X In ("* *") Do @Echo %X
For /D /R "%ProgramFiles%" %X In ("* *") Do @Echo %X
If Defined ProgramFiles(x86) For /D /R "%ProgramFiles(x86)%" %X In ("* *") Do @Echo %X

In case that "%CommonProgramFiles%"/"%CommonProgramFiles(x86)%"
are no subdirectories of %ProgramFiles%"/%ProgramFiles(x86)%" run
the commands for these directories too.

And: execution of command lines like
%SystemRoot%\System32\REGSVR32.EXE %ProgramFiles%\...\<filename>[.DLL]
%SystemRoot%\System32\RUNDLL32.EXE %ProgramFiles%\...\<filename>[.DLL],<Entry>
will run a rogue DLL %SystemDrive%\PROGRA.DLL.

To catch the latter, place a copy of
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> as
"%SystemDrive%\PROGRA.DLL" on your Windows system(s).

If running on "WinSta0" SENTINEL.DLL displays a message box
listing the pathname of the executed DLL, the pathname of the
calling process, its command line and the working directory.

Test it with RUNDLL32.EXE SENTINEL.DLL,Entry

For completeness sake: run the batch script
<http://home.arcor.de/skanthak/download/SENTINEL.CMD>
(with administrative rights) to place SENTINEL.{EXE,DLL} as
%SystemDrive%\PROGRA.{EXE,DLL}, "%ProgramFiles%\COMMON.{DLL,EXE}",
"%ProgramFiles(x86)%\COMMON.{DLL,EXE}" and SENTINEL.EXE with the
appropiate filename next to every directory with space(s) in its
name.

The latter is necessary to catch command lines like
"C:\PROGRA~1\Common Files\...\<filename>[.<extension>]" or
"C:\PROGRA~1\COMMON~1\Microsoft Shared\...\<filename>[.<extension>]" etc.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus