BugTraq
Defense in depth -- the Microsoft way (part 56): 10+ year old security update installers are susceptiblle to 20+ year old vulnerability Jul 18 2018 10:28AM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

Microsoft released <https://support.microsoft.com/en-us/help/4336919>
"Description of the security update for the remote code execution
vulnerability in Visual Studio 2010 Service Pack 1: July 10, 2018"
some days ago.

The executable installer VS10SP1-KB4336919-x86.exe offered for
download from <https://aka.ms/vs/10/release/4336919> alias
<https://download.visualstudio.microsoft.com/download/pr/12715017/faaef3
d5a7c96735de75d3843e964a5c/VS10SP1-KB4336919-x86.exe>
is but VULNERABLE!

The headers of this "portable executable" give a hint: the
executable installer (really: a self-extractor) was built
10+ years ago.

| C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS VS10SP1-KB4336919-x86.exe
| Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
| Copyright (C) Microsoft Corporation. All rights reserved.
|
|
| Dump of file VS10SP1-KB4336919-x86.exe
|
| PE signature found
|
| File Type: EXECUTABLE IMAGE
|
| FILE HEADER VALUES
| 14C machine (x86)
| 3 number of sections
| 476B6AA0 time date stamp Fri Dec 21 08:26:24 2007
~~~~~~~~~~~~~~~~~~~~~~~~
...
|
| C:\Users\Stefan\Downloads>FILEVER.exe /V VS10SP1-KB4336919-x86.exe
|
| --a-- W32i APP ENU 10.0.40219.493 shp 7,484,104 07-05-2018 vs10sp1-kb4336919-x86.exe
| Language 0x0000 (Neutral)
| CharSet 0x04b0 Unicode
| OleSelfRegister Disabled
| CompanyName Microsoft Corporation
| FileDescription Self-Extracting Cabinet
| InternalName SFXCAB.EXE
| OriginalFilenam SFXCAB.EXE
| ProductName Microsoft Visual Studio 2010
| ProductVersion 6.3.0015.0
| FileVersion 6.3.0015.0 built by: dnsrv
| LegalCopyright ® Microsoft Corporation. All rights reserved.

JFTR: SFXCAB.exe was introduced with Windows 95 and Windows NT4.
And of course there are NEWER versions of this tool available
and still in use at Microsoft: see for example the hotfixes
for Windows Embedded POSReady 2009.

On the other hand, someone by the name of William Henry Gates wrote
a memo titled "Trustworthy computing" 16+ years ago and sent it to
all full time employees of his "garage band":

| From: Bill Gates
| Sent: Tuesday, January 15, 2002 5:22 PM
| To: Microsoft and Subsidiaries: All FTE
| Subject: Trustworthy computing

1. VS10SP1-KB4336919-x86.exe is susceptible to DLL spoofing, a
vulnerability known for 20+ years: it loads multiple system DLLs
from its "application directory", typically the user's "Downloads"
directory %USERPROFILE%\Downloads\, instead from Windows' "system
directory" %SystemRoot%\System32\, resulting in arbitrary code
execution.

On a fully patched Windows 7 SP1 VS10SP1-KB4336919-x86.exe
loads AT LEAST the following rogue DLLs:
CryptDll.dll, CryptSP.dll

For this well-known and well-documented BEGINNER'S ERROR see
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>.

Additionally Microsofts own guidance
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.a
spx>

Don't forget to recap Steve Sutton's "Windows NT Security Guidelines"
<http://fy.chalmers.se/~appro/nt/nsaguide.pdf>, or ACROS Security's
<https://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting
.html>
and <https://www.ipa.go.jp/security/english/vuln/20170928_dll_en.html>

Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

a) follow the instructions from
<https://skanthak.homepage.t-online.de/minesweeper.html>
and build a minefield of 32-bit forwarder DLLs in your
"Downloads" directory;

b) download the executable installer from
<https://aka.ms/vs/10/release/4336919>
and save it in your "Downloads" directory";

c) execute VS10SP1-KB4336919-x86.exe: notice the message boxes
displayed from the DLLs built in step a!

2. In standard installations of Windows, where the user account
created during Windows setup is used, the UNPRIVILEGED alias
UNELEVATED user (or any program running under this account) can
place arbitrary rogue DLLs in the "Downloads" directory, for
example per "drive-by download".

JFTR: the precondition "user account created during setup" holds
for the vast majority of all Windows installations.
As published in Microsofts "security intelligence reports"
<https://www.microsoft.com/security/sir/>, from 50% to 75%
of all about 600 million Windows installations which provide
telemetry data have only one active user account.

Since the "application manifest" embedded in VS10SP1-KB4336919-x86.exe
specifies "requireAdministrator", the first vulnerability then
results in arbitrary code execution WITH escalation of privilege.

Mitigations:
~~~~~~~~~~~~

1. DON'T use executable installers; stay far away from such crap!

2. NEVER run executable installers from UNSAFE directories like
"%USERPROFILE%\Downloads\" or "%TEMP%\"

3. Exercise STRICT privilege separation: use your privileged
"Administrator" account (especially the account created during
Windows setup) only for administrative tasks, and a COMPLETELY
separate unprivileged "standard user" account for your own tasks.

stay tuned
Stefan Kanthak

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus