Hi @ll, Microsoft released <https://support.microsoft.com/en-us/help/4340040/> "July 2018 servicing release for Microsoft Desktop Optimization Pack" some days ago. <https://www.microsoft.com/en-us/download/details.aspx?id=57157> offers three executable installers to update existing installations: MBAM2.5_Client_x64_KB4340040.exe, MBAM2.5_Client_x86_KB4340040.exe and MBAM2.5_X64_Server_KB4340040.exe 1. All three executable installers are susceptible to DLL spoofing, a vulnerability known for 20+ years: they load multiple system DLLs from their "application directory", typically the user's "Downloads" directory %USERPROFILE%\Downloads\, instead from Windows' "system directory" %SystemRoot%\System32\, resulting in arbitrary code execution. On a fully patched Windows 7 SP1, MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe load AT LEAST the following rogue DLLs: msls31.dll, propsys.dll, ntmarta.dll, version.dll, secur32.dll On a fully patched Windows 7 SP1, MBAM2.5_X64_Server_KB4340040.exe loads AT LEAST the following rogue DLLs: uxtheme.dll, cabinet.dll, msi.dll, version.dll For this well-known and well-documented BEGINNER'S ERROR see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Additionally see Microsofts own guidance <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> for avoiding this beginner's error. Don't forget to recap Steve Sutton's "Windows NT Security Guidelines" <http://fy.chalmers.se/~appro/nt/nsaguide.pdf>, or ACROS Security's <https://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <https://www.ipa.go.jp/security/english/vuln/20170928_dll_en.html> Demonstration/proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ a) follow the instructions from <https://skanthak.homepage.t-online.de/minesweeper.html> and build a minefield of 32-bit forwarder DLLs in your "Downloads" directory; b) download the executable installers via <https://www.microsoft.com/en-us/download/details.aspx?id=57157> and save them in your "Downloads" directory"; c) execute MBAM2.5_Client_x86_KB4340040.exe and MBAM2.5_X64_Server_KB4340040.exe: notice the message boxes displayed from the DLLs built in step a! d) repeat step a to build a minefield of 64-bit forwarder DLLs. e) execute MBAM2.5_Client_x64_KB4340040.exe: notice the message boxes displayed from the DLLs built in step d! 2. In standard installations of Windows, where the user account created during Windows setup is used, the UNPRIVILEGED alias UNELEVATED user (or any program running under this account) can place arbitrary rogue DLLs in the "Downloads" directory, for example per "drive-by download". JFTR: the precondition "user account created during setup" holds for the vast majority of all Windows installations. As published in your own "security intelligence reports" <https://www.microsoft.com/security/sir/>, from 50% to 75% of all about 600 million Windows installations which provide telemetry data have only one active user account. Since the "application manifest" embedded in MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe specifies "requireAdministrator", the first vulnerability then results in arbitrary code execution WITH escalation of privilege. 3. Although MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe run elevated, they extract their payload MBAM2.5-Client-KB00000.msp UNPROTECTED into the %TEMP% directory. For this well-known and well-documented BEGINNER'S ERROR see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> plus <https://capec.mitre.org/data/definitions/29.html> In standard installations of Windows, where the user account created during Windows setup is used, the UNPRIVILEGED alias UNELEVATED user is the owner of the extracted payload and has FULL ACCESS to it. This allows modification of the extracted file(s) between creation and use. Since the payload is processed with administrative rights (MSIExec.exe runs under SYSTEM account) this second vulnerability results in escalation of privilege too. 4. Built with a COMPLETELY outdated version 3.7.1224.0 of Wix toolset <http://robmensching.com/blog/posts/2012/12/24/wix-v3.7-released/>, MBAM2.5_X64_Server_KB4340040.exe has the same well-known and well- documented vulnerabilities too. See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> and subsequent security advisories from the creators of Wix toolset. Microsofts developers are most obviously UNABLE (or INCAPABLE?) to even keep their production environment up-to-date! Their managers most obviously don't care too, and their QA seems sound asleep. 5. MBAM2.5_X64_Server_KB4340040.exe extracts its payload, the real installer, into an UNPROTECTED subdirectory of %TEMP% using the hard-coded name "{cf45df76-7d9e-499f-8d93-64ec3ee76e20}" and executes it ELEVATED. The UNPROTECTED subdirectory allows modification of the extracted files between creation and use, resulting in elevation of privilege (or denial of service). Demonstration/proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ a) add the NTFS ACE "(D;OIIO;WP;;;WD)" to your %TEMP% directory; the ACE means "deny execution of files in this subdirectory for everyone, inheritable to files in all subdirectories". b) execute MBAM2.5_X64_Server_KB4340040.exe: notice its SILENT failure. c) create the following batch script in an arbitrary directory: --- kb4340040.cmd --- :LOOP @If Not Exist "%TEMP%\{cf45df76-7d9e-499f-8d93-64ec3ee76e20}" Goto :LOOP Rem Add some more loops here which wait for the creation of files Rem to be overwritten, and some copy commands to overwrite them ... --- EOF --- d) run the batch script, then execute MBAM2.5_X64_Server_KB4340040.exe Mitigations: ~~~~~~~~~~~~ 1. DON'T use executable installers; stay far away from such crap! 2. NEVER run executable installers from UNSAFE directories like "%USERPROFILE%\Downloads\" or "%TEMP%\" 3. Exercise STRICT privilege separation: use your privileged "Administrator" account (especially the account created during Windows setup) only for administrative tasks, and a COMPLETELY separate unprivileged "standard user" account for your own tasks. stay tuned Stefan Kanthak
