Junkware Removal Tool DLL Hijacking

`Hi @ll,  
  
JRT.exe (see <https://en.malwarebytes.com/junkwareremovaltool/>)  
  
1. is vulnerable to DLL hijacking:  
see <https://cwe.mitre.org/data/definitions/426.html>  
and <https://cwe.mitre.org/data/definitions/427.html> for  
these WELL-KNOWN and WELL-DOCUMENTED beginner's errors;  
  
2. creates an unsafe directory "%TEMP%\jrt":  
see <https://cwe.mitre.org/data/definitions/377.html>  
and <https://cwe.mitre.org/data/definitions/379.html> for  
these WELL-KNOWN and WELL-DOCUMENTED beginner's errors!  
  
An attacker can exploit these vulnerabilities to gain  
arbitrary code execution WITH escalation of privilege.  
  
  
Ad 1.:  
~~~~~~  
  
Applications which are offered as downloads to unsuspecting users  
will typically be saved into the users "Downloads" directory ...  
which is but a digital minefield: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134>  
  
On a fully patched Windows 7 SP1, JRT.exe loads and executes the  
following DLLs from its "application directory" (which usually  
happens to be the users "Downloads" directory):  
UXTheme.dll, DWMAPI.dll, PropSys.dll, NTMARTA.dll, Version.dll,  
Secur32.dll  
  
On other versions of Windows this list varies slightly, but JRT.exe  
ALWAYS loads some DLLs from its "application directory".  
  
  
Due to its embedded application manifest which specifies  
"requireAdministrator", JRT.exe runs with administrative privileges:  
all DLLs it loads and executes run with administrative privileges  
too, resulting in arbitrary code execution WITH elevation of  
privilege.  
  
If an attacker is able to place the DLLs named above per "drive-by  
download" in the users "Downloads" directory this becomes a remote  
code execution WITH elevation of privilege.  
  
  
Proof of concept:  
~~~~~~~~~~~~~~~~~  
  
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>  
and save it as UXTheme.dll, DWMAPI.dll, PropSys.dll, NTMARTA.dll,  
Version.dll, Secur32.dll in your "Downloads" directory;  
  
2. download <https://downloads.malwarebytes.com/file/jrt/> and  
save it in your "Downloads" directory;  
  
3. start the downloaded JRT.exe and notice the message boxes  
displayed from the DLLs planted in step 1.  
  
PWNED!  
  
  
Ad 2.:  
~~~~~~  
  
Upon execution JRT.exe creates the directory "%TEMP%\jrt", extracts  
its payload into it and starts Windows' command processor (with  
administrative privileges too) to run the extracted batch script  
"%TEMP%\jrt\get.bat".  
  
The directory "%TEMP%\jrt" inherits the NTFS permissions of its  
parent "%TEMP%", allowing FULL access for the respective user  
account.  
  
In the "protected" alias UAC-controlled administrator account  
created during Windows setup, "%TEMP%\jrt" is writable without  
administrative privileges: the unprivileged user (or any process  
running without elevation under this user account) can watch for  
the creation of this directory and then (over)write any file  
(for example FIND.COM, REG.COM, NET.COM, PING.COM, FC.COM,  
FINDSTR.COM, TASKLIST.COM, SORT.COM, SCHTASKS.COM, WGET.DAT,  
UNIQ.DAT, SED.DAT, GREP.DAT, NIRCMD.DAT, SHORTCUT.DAT, or the  
DLLs which the *.DAT load from their "application directory")  
again gaining elavation of privilege.  
  
  
Proof of concept:  
~~~~~~~~~~~~~~~~~  
  
1. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>  
and save it in your "Downloads" directory;  
  
2. create the following batch script in an arbitrary directory:  
  
--- POC.CMD ---  
:WAIT  
@If Not Exist "%TEMP%\jrt" Goto :WAIT  
  
For %%! In (FIND REG NET PING FC FINDSTR TASKLIST SORT  
SCHTASKS) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\jrt\%%!.COM"  
--- EOF ---  
  
3. download <https://downloads.malwarebytes.com/file/jrt/> and  
save it in your "Downloads" directory;  
  
4. start the batch script POC.CMD;  
  
5. start the downloaded JRT.exe and notice the message boxes  
displayed from the *.COM.  
  
PWNED!  
  
  
Mitigations:  
~~~~~~~~~~~~  
  
* Don't use executable installers!  
  
* Don't use crapware which runs executables from unsafe  
directories like %TEMP%!  
  
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use  
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to  
decode it to "deny execution of files in this directory for  
everyone, inheritable to all files in all subdirectories".  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2016-08-06 vulnerability report sent to vendor  
  
NO RESPONSE  
  
2016-08-15 report published  
  
  
`