Hi @ll, Microsoft released <https://support.microsoft.com/en-us/help/4336919> "Description of the security update for the remote code execution vulnerability in Visual Studio 2010 Service Pack 1: July 10, 2018" some days ago. The executable installer VS10SP1-KB4336919-x86.exe offered for download from <https://aka.ms/vs/10/release/4336919> alias <https://download.visualstudio.microsoft.com/download/pr/12715017/faaef3d5a7c96735de75d3843e964a5c/VS10SP1-KB4336919-x86.exe> is but VULNERABLE! The headers of this "portable executable" give a hint: the executable installer (really: a self-extractor) was built 10+ years ago. | C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS VS10SP1-KB4336919-x86.exe | Microsoft (R) COFF/PE Dumper Version 10.00.40219.01 | Copyright (C) Microsoft Corporation. All rights reserved. | | | Dump of file VS10SP1-KB4336919-x86.exe | | PE signature found | | File Type: EXECUTABLE IMAGE | | FILE HEADER VALUES | 14C machine (x86) | 3 number of sections | 476B6AA0 time date stamp Fri Dec 21 08:26:24 2007 ~~~~~~~~~~~~~~~~~~~~~~~~ ... | | C:\Users\Stefan\Downloads>FILEVER.exe /V VS10SP1-KB4336919-x86.exe | | --a-- W32i APP ENU 10.0.40219.493 shp 7,484,104 07-05-2018 vs10sp1-kb4336919-x86.exe | Language 0x0000 (Neutral) | CharSet 0x04b0 Unicode | OleSelfRegister Disabled | CompanyName Microsoft Corporation | FileDescription Self-Extracting Cabinet | InternalName SFXCAB.EXE | OriginalFilenam SFXCAB.EXE | ProductName Microsoft Visual Studio 2010 | ProductVersion 6.3.0015.0 | FileVersion 6.3.0015.0 built by: dnsrv | LegalCopyright ® Microsoft Corporation. All rights reserved. JFTR: SFXCAB.exe was introduced with Windows 95 and Windows NT4. And of course there are NEWER versions of this tool available and still in use at Microsoft: see for example the hotfixes for Windows Embedded POSReady 2009. On the other hand, someone by the name of William Henry Gates wrote a memo titled "Trustworthy computing" 16+ years ago and sent it to all full time employees of his "garage band": | From: Bill Gates | Sent: Tuesday, January 15, 2002 5:22 PM | To: Microsoft and Subsidiaries: All FTE | Subject: Trustworthy computing 1. VS10SP1-KB4336919-x86.exe is susceptible to DLL spoofing, a vulnerability known for 20+ years: it loads multiple system DLLs from its "application directory", typically the user's "Downloads" directory %USERPROFILE%\Downloads\, instead from Windows' "system directory" %SystemRoot%\System32\, resulting in arbitrary code execution. On a fully patched Windows 7 SP1 VS10SP1-KB4336919-x86.exe loads AT LEAST the following rogue DLLs: CryptDll.dll, CryptSP.dll For this well-known and well-documented BEGINNER'S ERROR see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Additionally Microsofts own guidance <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> Don't forget to recap Steve Sutton's "Windows NT Security Guidelines" <http://fy.chalmers.se/~appro/nt/nsaguide.pdf>, or ACROS Security's <https://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <https://www.ipa.go.jp/security/english/vuln/20170928_dll_en.html> Demonstration/proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ a) follow the instructions from <https://skanthak.homepage.t-online.de/minesweeper.html> and build a minefield of 32-bit forwarder DLLs in your "Downloads" directory; b) download the executable installer from <https://aka.ms/vs/10/release/4336919> and save it in your "Downloads" directory"; c) execute VS10SP1-KB4336919-x86.exe: notice the message boxes displayed from the DLLs built in step a! 2. In standard installations of Windows, where the user account created during Windows setup is used, the UNPRIVILEGED alias UNELEVATED user (or any program running under this account) can place arbitrary rogue DLLs in the "Downloads" directory, for example per "drive-by download". JFTR: the precondition "user account created during setup" holds for the vast majority of all Windows installations. As published in Microsofts "security intelligence reports" <https://www.microsoft.com/security/sir/>, from 50% to 75% of all about 600 million Windows installations which provide telemetry data have only one active user account. Since the "application manifest" embedded in VS10SP1-KB4336919-x86.exe specifies "requireAdministrator", the first vulnerability then results in arbitrary code execution WITH escalation of privilege. Mitigations: ~~~~~~~~~~~~ 1. DON'T use executable installers; stay far away from such crap! 2. NEVER run executable installers from UNSAFE directories like "%USERPROFILE%\Downloads\" or "%TEMP%\" 3. Exercise STRICT privilege separation: use your privileged "Administrator" account (especially the account created during Windows setup) only for administrative tasks, and a COMPLETELY separate unprivileged "standard user" account for your own tasks. stay tuned Stefan Kanthak
