Hi @ll, Microsoft just announced the general availability of their "Windows Defender Advanced Threat Protection/Endpoint Protection & Response" for their "downlevel" operating systems Windows 7 and Windows 8.1: https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Windows-Defender-ATP-s-EDR-capability-for-Windows-7-and-Windows/ba-p/355535 This announcement ends in | For more information on how you can onboard Windows 7 and Windows 8.1 | machines, check out our documentation Let's see what Microsoft wants their customers to "board" onto their Windows 7 and Windows 8.1 installation: this documentation https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp lists below the heading "Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP" | Download the agent setup file: Windows 64-bit agent or Windows 32-bit agent. The URLs for these downloads are https://go.microsoft.com/fwlink/?LinkId=828603 https://go.microsoft.com/fwlink/?LinkId=828604 Vulnerability #1 ~~~~~~~~~~~~~~~~ These URLs but redirect to | HEAD https://go.microsoft.com/fwlink/?LinkId=828604 | HTTP/1.1 302 Moved Temporarily | Content-Length: 0 | Location: http://download.microsoft.com/download/A/E/7/AE709F7E-37F5-473F-A615-42D6F66AE32F/MMASetup-AMD64.exe | Server: Kestrel ... | HEAD https://go.microsoft.com/fwlink/?LinkId=828604 | HTTP/1.1 302 Moved Temporarily | Content-Length: 0 | Location: http://download.microsoft.com/download/A/E/7/AE709F7E-37F5-473F-A615-42D6F66AE32F/MMASetup-i386.exe | Server: Kestrel ... EVERY man-in-the-middle just LOVES Microsoft! Really! All their documentation and blogs use HTTPS, but for their downloads they still use HTTP, allowing almost everybody to fiddle with the downloads to their hearts content and create havoc! JFTR: of course these downloads can be fetched via HTTPS too, WITHOUT the slightest problem! If Microsoft would only know... Vulnerability #2 ~~~~~~~~~~~~~~~~ Let's continue with https://download.microsoft.com/download/A/E/7/AE709F7E-37F5-473F-A615-42D6F66AE32F/MMASetup-i386.exe and see what Microsoft offers in MMASetup-i386.exe: | LINK.exe /DUMP /HEADERS /DEPENDENTS MMASetup-i386.exe | | Dump of file MMASetup-i386.exe | | PE signature found | | File Type: EXECUTABLE IMAGE | | FILE HEADER VALUES | 14C machine (x86) | 5 number of sections | 545301EF time date stamp Fri Oct 31 05:28:47 2014 Aaaahhh, a four year old portable executable. But why does the digital (Authenticode) signature has another timestamp: "Friday, December 24, 2018, 10:08:18"? | Image has the following dependencies: ... | msvcrt.dll | COMCTL32.dll | Cabinet.dll | VERSION.dll BINGO! 3 or 4 SURE candidates for DLL hijacking. But how bad is it? The embedded "application manifest" contains | requestedExecutionLevel level="requireAdministrator" So this a yet another TRIVIAL to exercise "escalation of privilege", in a piece of software^WJUNK Microsoft ships as "security solution"! Vulnerability #3 ~~~~~~~~~~~~~~~~ MMASetup-i386.exe is an IExpress-Installer. | Debug Directories ... | ... wextract.pdb According to MULTIPLE mails/statements from Microsoft's MSRC they don't use this outdated technology (IExpress installers) any more... REALITY CHECK, PLEASE! IExpress installers unpack their payload (embedded in a CAB archive, which itself is embedded as a "resource" in the "portable executable") into a subdirectory %TEMP%\IXP000.tmp and execute a predefined command line there (here: "Setup.exe"). The payload of MMASetup-i386.exe is | Setup.exe | MOMAgent.msi | MOMAgent.<language>.mst ... JFTR: this in turn means that the VULNERABLE wrapper/self-extractor is COMPLETELY superfluous: Microsoft could offer the CAB archive they embed in MMASetup-<architecture>.exe for download, and thus eliminate vulnerability #2! There is but yet another vulnerability here: Setup.exe too is (like ALMOST ALL such executable installers) vulnerable to DLL hijacking, it loads (at least) MSI.dll from its "application directory"! When MMASetup-<architecture>.exe is run under the user account created during Windows setup, every UNPRIVILEGED (non-elevated) program running under this account can write to %TEMP%\IXP000.tmp, for example a rogue MSI.dll, and exercise again an "escalation of privilege". GAME OVER, third time! stay tuned (and far away from so-called "security solutions") Stefan Kanthak
