Junkware Removal Tool DLL Hijacking

2016.08.17
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, JRT.exe (see <https://en.malwarebytes.com/junkwareremovaltool/>) 1. is vulnerable to DLL hijacking: see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> for these WELL-KNOWN and WELL-DOCUMENTED beginner's errors; 2. creates an unsafe directory "%TEMP%\jrt": see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> for these WELL-KNOWN and WELL-DOCUMENTED beginner's errors! An attacker can exploit these vulnerabilities to gain arbitrary code execution WITH escalation of privilege. Ad 1.: ~~~~~~ Applications which are offered as downloads to unsuspecting users will typically be saved into the users "Downloads" directory ... which is but a digital minefield: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> On a fully patched Windows 7 SP1, JRT.exe loads and executes the following DLLs from its "application directory" (which usually happens to be the users "Downloads" directory): UXTheme.dll, DWMAPI.dll, PropSys.dll, NTMARTA.dll, Version.dll, Secur32.dll On other versions of Windows this list varies slightly, but JRT.exe ALWAYS loads some DLLs from its "application directory". Due to its embedded application manifest which specifies "requireAdministrator", JRT.exe runs with administrative privileges: all DLLs it loads and executes run with administrative privileges too, resulting in arbitrary code execution WITH elevation of privilege. If an attacker is able to place the DLLs named above per "drive-by download" in the users "Downloads" directory this becomes a remote code execution WITH elevation of privilege. Proof of concept: ~~~~~~~~~~~~~~~~~ 1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as UXTheme.dll, DWMAPI.dll, PropSys.dll, NTMARTA.dll, Version.dll, Secur32.dll in your "Downloads" directory; 2. download <https://downloads.malwarebytes.com/file/jrt/> and save it in your "Downloads" directory; 3. start the downloaded JRT.exe and notice the message boxes displayed from the DLLs planted in step 1. PWNED! Ad 2.: ~~~~~~ Upon execution JRT.exe creates the directory "%TEMP%\jrt", extracts its payload into it and starts Windows' command processor (with administrative privileges too) to run the extracted batch script "%TEMP%\jrt\get.bat". The directory "%TEMP%\jrt" inherits the NTFS permissions of its parent "%TEMP%", allowing FULL access for the respective user account. In the "protected" alias UAC-controlled administrator account created during Windows setup, "%TEMP%\jrt" is writable without administrative privileges: the unprivileged user (or any process running without elevation under this user account) can watch for the creation of this directory and then (over)write any file (for example FIND.COM, REG.COM, NET.COM, PING.COM, FC.COM, FINDSTR.COM, TASKLIST.COM, SORT.COM, SCHTASKS.COM, WGET.DAT, UNIQ.DAT, SED.DAT, GREP.DAT, NIRCMD.DAT, SHORTCUT.DAT, or the DLLs which the *.DAT load from their "application directory") again gaining elavation of privilege. Proof of concept: ~~~~~~~~~~~~~~~~~ 1. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and save it in your "Downloads" directory; 2. create the following batch script in an arbitrary directory: --- POC.CMD --- :WAIT @If Not Exist "%TEMP%\jrt" Goto :WAIT For %%! In (FIND REG NET PING FC FINDSTR TASKLIST SORT SCHTASKS) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\jrt\%%!.COM" --- EOF --- 3. download <https://downloads.malwarebytes.com/file/jrt/> and save it in your "Downloads" directory; 4. start the batch script POC.CMD; 5. start the downloaded JRT.exe and notice the message boxes displayed from the *.COM. PWNED! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-08-06 vulnerability report sent to vendor NO RESPONSE 2016-08-15 report published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top