BugTraq
Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP% Aug 11 2016 06:15PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

several of Microsoft's Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in "protected
administrator" accounts [*].

* CoreInfo.exe:
extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
%TEMP%\VERSION.DLL (on Windows Vista and newer)
and executes it with the callers credentials.

* Disk2VHD.exe:
extracts on Windows 2003 and newer, both x86 and x64, an embedded
Disk2VHD-tmp.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes it with administrative privileges on Windows Vista
and newer, and with the callers credentials on Windows 2003.

* DiskView.exe:
extracts on x64 an embedded DiskView64.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL
and executes it with administrative privileges on Windows Vista
and newer, and with the callers credentials on Windows 2003 and
Windows XP.

* ProcMon.exe:
extracts on x64 an embedded ProcMon64.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes it with the callers credentials.

* RAMMap.exe:
extracts on x64 an embedded RAMMap64.exe to %TEMP% which loads
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes them with administrative privileges on Windows Vista
and newer, and with the callers credentials on Windows 2003.

* VMMap.exe:
extracts on x64 an embedded VMMap64.exe to %TEMP% which loads
%TEMP%\CLBCATQ.DLL (on Windows 2003),
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
and executes them with the callers credentials.

* ZoomIt.exe:
extracts on x64 an embedded ZoomIt64.exe to %TEMP% which loads
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer)
and executes them with the callers credentials.

See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://cwe.mitre.org/data/definitions/277.html>,
<https://cwe.mitre.org/data/definitions/379.html> and
<https://cwe.mitre.org/data/definitions/732.html> for these
WELL-KNOWN and WELL-DOCUMENTED vulnerabilities^Wbeginner's
errors!

Mitigations:
~~~~~~~~~~~~

* Don't use these vulnerable utilities (or other crapware
which runs executables from unsafe directories like %TEMP%)!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".

stay tuned
Stefan Kanthak

[*] according to Microsoft's own SIR reports, more than half of
the Windows installations which send telemetry data have only
one active user account, i.e. some hundred million Windows
installations are susceptible to this design bug!

Timeline:
~~~~~~~~~

2015-11-02 vulnerability report sent to author and vendor

NO REPLY from author

2015-11-17 vendor replies, opens MSRC case 31724

2016-01-29 vendor replies, closes MSRC case 31724: WONTFIX

2016-08-11 report published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus