[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Defense in depth -- the Microsoft way (part 16): our developers and their QA dont follow our ow
From: "Stefan Kanthak" <stefan.kanthak () nexgo ! de>
Date: 2014-05-31 17:39:57
Message-ID: 063968AE73CE4F098C85CBBAEC690506 () celsius
[Download RAW message or body]
Hi @ll,
in a recent blog post titled "Load Library Safely"
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
Microsoft Security Research & Defense wrote:
> To ensure secure loading of libraries
> * Use proper DLL search order.
> * Always specify the fully qualified path when the library location is
~~~~~~
> constant.
> * Load as data file when required.
> * Make use of code signing infrastructure or AppLocker.
Let's concentrate on the second point and see how well Microsoft follows
their own safety and security guidance:
- the locations of ALL libraries delivered with Windows are constant
and well-known.
- the locations of ALL installed files remain constant after their
installation, so ALL installation routines can safely write the
well-known fully qualified path to the registry, desktop.ini files,
shortcuts, ...
Quite some people pointed out this fact MANY times in the past, over
and over again.
JFTR: <http://msdn.microsoft.com/library/ms691424.aspx> specifies:
> InprocServer Specifies the path to the in-process server DLL.
~~~~
> LocalServer Specifies the full path to a 16-bit local server application.
~~~~~~~~~
> LocalServer32 Specifies the full path to a 32-bit local server application.
~~~~~~~~~
<http://msdn.microsoft.com/library/ms682390.aspx> specifies:
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
> {CLSID}
> InprocServer32
> (Default) = path
~~~~
<http://msdn.microsoft.com/library/ms694328.aspx> specifies:
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
> {CLSID}
> InprocServer
> (Default) = path
~~~~
<http://msdn.microsoft.com/library/ms682212.aspx> specifies:
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
> {CLSID}
> DefaultIcon = path, resourceID
~~~~
...
> This is a REG_SZ value that specifies the full path to the executable
~~~~~~~~~
Now take a look at the registry of Windows 8.1 (as it comes on the DVD
available from <http://technet.microsoft.com/evalcenter/hh699156.aspx>,
inside the \sources\install.wim).
In no particular order, and of course not exhaustive (the full list is
available from <http://home.arcor.de/skanthak/download/W81_PATH.REG>):
[HKEY_CLASSES_ROOT\CLSID\{00020000-0000-0000-C000-000000000046}\InprocServer]
@="avifile.dll"
[HKEY_CLASSES_ROOT\CLSID\{5848A73D-E9C2-499E-BB92-887CABCB2BD6}\InprocHandler32]
@="ole32.dll"
[HKEY_CLASSES_ROOT\CLSID\{00021400-0000-0000-C000-000000000046}\shell\cmd]
@="@shell32.dll,-8506"
[HKEY_CLASSES_ROOT\CLSID\{289228DE-A31E-11D1-A19C-0000F875B132}\ToolboxBitmap32]
@="cic.dll, 1"
[HKEY_CLASSES_ROOT\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}\Instance\InitPropertyBag]
"command"="@shell32.dll,-12715"
[HKEY_CLASSES_ROOT\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"opentext"="@shell32.dll,-12706"
"properties"="inetcpl.cpl"
"propertiestext"="@shell32.dll,-12704"
[HKEY_CLASSES_ROOT\CLSID\{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"command"="@appwiz.cpl,-130"
"Param1"="appwiz.cpl,,3"
"Param2"="control.exe"
[HKEY_CLASSES_ROOT\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}]
"MenuTextPUI"="@explorerframe.dll,-13138"
[HKEY_CLASSES_ROOT\CLSID\{031EE060-67BC-460d-8847-E4A7C5E45A27}]
"Icon"="wmploc.dll,101"
[HKEY_CLASSES_ROOT\CLSID\{FC1EE10B-7EF6-41B5-BB60-98D26DD9FCD1}\MergedFolder]
"Location"="@shell32.dll,-9091"
[HKEY_CLASSES_ROOT\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}]
"LocalizedString"="@shell32.dll,-10114"
[HKEY_CLASSES_ROOT\accountpicturefile]
"FriendlyTypeName"="@Windows.UI.Immersive.dll,-38306"
[HKEY_CLASSES_ROOT\batfile\shell\runasuser]
@="@shell32.dll,-50944"
[HKEY_CLASSES_ROOT\CATFile\DefaultIcon]
@="cryptui.dll,-3418"
[HKEY_CLASSES_ROOT\CERFile\shell\add]
"MUIVerb"="@cryptext.dll,-6132"
[HKEY_CLASSES_ROOT\Network\SharingHandler]
@="ntshrui.dll"
[HKEY_CLASSES_ROOT\OLETransactionManagers\MSDTC]
"DLL"="MSDTCPRX.DLL"
[HKEY_CLASSES_ROOT\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail]
"IconPath"="explorer.exe,16"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}]
"$DLL"="WINTRUST.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection \
For DirectPlay] "Gateway"="dpnhpast.dll"
"Path"="dpwsockx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{0f3f3735-573d-9804-99e4-ab2a69ba5fd4}]
"ModuleName"="SecurityAuditPoliciesSnapIn.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{58221C6A-EA27-11CF-ADCF-00AA00A80033}]
"ProviderIndirect"="@filemgmt.dll,-3505"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{A2A54893-AAF2-49A3-B3F5-CC43CEBCC27C}]
"DescriptionIndirect"="@napdsnap.dll,-2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{DFFFAE4D-F0CF-46CD-9586-FE891237AB8A}]
"NameStringIndirect"="@comres.dll,-659"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh]
"napmontr"="napmontr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ip]
"ConfigDll"="ipadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ipv6]
"ConfigDll"="ipadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\UiConfigDlls]
"58bdf950-f471-11cf-aa67-00805f0c9232"="ifadmin.dll"
"58bdf951-f471-11cf-aa67-00805f0c9232"="ipadmin.dll"
"58bdf953-f471-11cf-aa67-00805f0c9232"="ddmadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols]
"ncacn_ip_tcp"="rpcrt4.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions]
"NdrOleExtDll"="Ole32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService]
"9"="sspicli.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"IGDSearcherDLL"="bitsigd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Glass
Colorization\Swatches\{FD81078C-1B36-4595-A92E-91F05C4FA5DC}]
"Resource"="themecpl.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin]
"WUSearchLibrary"="chkwudrv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder]
"Text"="@shell32.dll,-30498"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSWMPBurnCDOnArrival]
"Action"="@wmploc.dll,-6505"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPlayCDAudioOnArrival]
"Provider"="@wmploc.dll,-6502"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}]
"InfoTip"="@shell32,dll,-12692"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{0b2baaeb-0042-4dca-aa4d-3ee8648d03e5}\TopViews\{
82ba0782-5b7a-4569-b5d7-ec83085f08cc}]
"Name"="@shell32.dll,-34817"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet \
Settings\SO\AUTH\LOGON\SILENT] "HelpID"="iexplore.hlp#50283"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOTNET]
"PlugUIText"="@mscorier.dll,-1001"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Mail\Advanced Settings\Contact Conversion]
"Bitmap"="msoeres.dll,50"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \
NT\CurrentVersion\Audit\SystemPolicy\System\SystemIntegrity] "HelpText"="@auditpolmsg.dll,-734"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers]
"Adobe Type Manager"="atmfd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager]
"DiscoveryProviderDllPath"="PeerDistWSDDiscoProv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager]
"TransportDllPath"="PeerDistHttpTrans.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache]
"TransportDllPath"="PeerDistHttpTrans.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \
NT\CurrentVersion\PeerDist\HostedCache\Discovery] "ProviderDLLPath"="PeerDistAD.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \
NT\CurrentVersion\Perflib\_V2Providers\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}] \
"ApplicationIdentity"="lsm.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \
NT\CurrentVersion\ProfileLoader\{F5441CBB-AE7D-4495-905B-161047E58936}] "DllName"="userenv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg
Values\MACHINE/System/CurrentControlSet/Services/LDAP/LDAPClientIntegrity]
"DisplayChoices"=multi:"0|@wsecedit.dll,-59073","1|@wsecedit.dll,-59074","2|@wsecedit.dll,-59075"
"DisplayName"="@wsecedit.dll,-59072"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \
NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}] \
"DisplayName"="@gptext.dll,-205"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\PHSearchConnectors\StickyNotes\Default]
"Description"="@SNTSearch.dll,-504"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystemUtilities]
"IfsUtilExtension"="ifsutilx.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port]
"Driver"="WSDMon.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LanMan Print Services]
"Name"="win32spl.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Els\Services\{2D64B439-6CAF-4f6b-B688-E5D0F4FAA7D7}]
"Description"="@elscore.dll,-2"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs]
"DisplayName"="@combase.dll,-5010"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000401]
"Layout File"="KBDA1.DLL"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet \
Settings\Lockdown_Zones\0] "Icon"="shell32.dll#0016"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"LowIcon"="inetcpl.cpl#005426"
[HKEY_USERS\S-1-5-19\AppEvents\EventLabels\.Default]
"DispFileName"="@mmres.dll,-5824"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Names\.None]
@="@mmres.dll,-801"
[ 1669 more entries with unqualified filenames omitted ]
regards
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic