[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] .diagcab directory traversal leading to arbitrary code execution
From: Imre Rad <radimre83 () gmail ! com>
Date: 2020-01-15 8:21:50
Message-ID: CAPWzz4zB7QuMsiWCJzZDsX+oooaSF+PVw=mZGYDrj6rHtp9gKA () mail ! gmail ! com
[Download RAW message or body]
I identified a flaw in the implementation of Microsoft's
Troubleshooter technology that could lead to remote code execution if
a crafted .diagcab file is opened by the victim. The exploit leverages
a rogue webdav server to trick MSDT to drop files to attacker
controller locations on the file system.
If you see the following pattern in any Windows applications, they
might be vulnerable too:
#define MAXPATH 0x104
TCHAR attackerControlledSourcePath[MAXPATH]; // this is the "user input"
TCHAR tempDirectory[MAXPATH];
GetTempPathW(MAXPATH, tempDirectory);
TCHAR allFilesFromAttackerControlledSourcePath[MAXPATH];
StringCchPrintfW(allFilesFromAttackerControlledSourcePath, MAXPATH,
L"%s\\*.*", AttackerControlledSourcePath);
hFind = FindFirstFile(allFilesFromAttackerControlledSourcePath, &FindFileData);
do {
TCHAR srcFile[MAXPATH];
TCHAR dstFile[MAXPATH];
StringCchPrintfW(srcFile, MAXPATH, L"%s\\%s",
attackerControlledSourcePath, FindFileData.cFileName);
StringCchPrintfW(dstFile, MAXPATH, L"%s\\%s", tempDirectory,
FindFileData.cFileName);
CopyFileW(srcFile, dstFile, TRUE);
while (FindNextFile(hFind, &FindFileData) != 0);FindClose(hFind);
The thing is, the FindFirstFile/FindNextFile APIs could return file
entries with path separator character in them; I implemented a rogue
webdav server to demonstrate this:
C:\Projects\diagcab>dir \\127.0.0.1@80\DavWWWRoot\package
Volume in drive \\127.0.0.1@80\DavWWWRoot has no label.
Volume Serial Number is 0000-0000
Directory of \\127.0.0.1@80\DavWWWRoot\package
2017. 07. 12. 11:10 <DIR> .
2017. 07. 12. 11:10 <DIR> ..
2017. 07. 12. 10:48 27 648
..\..\..\..\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\calc.exe
1 File(s) 27 648 bytes
2 Dir(s) 251 292 504 064 bytes free
Microsoft refused to fix this issue, so it is recommended to stay away
from this file type.
You can find the full write up and the online demo project here:
https://medium.com/@radimre83/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
And the source files here:
https://www.github.com/irsl/microsoft-diagcab-rce-poc/
Imre
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic