Lucene search
K

Microsoft Azure Recovery Services Agent DLL Hijacking

🗓️ 28 May 2017 00:00:00Reported by Stefan KanthakType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 63 Views

Microsoft Azure Recovery Services Agent DLL Hijacking vulnerability in MARSAgentInstaller.exe allows arbitrary code execution via DLL hijacking, resulting in escalation of privilege on standard Windows installations

Code
`Hi @ll,  
  
MARSAgentInstaller.exe, the Microsoft Azure Recovery Services Agent,  
available via  
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>  
from  
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>  
is vulnerable: it allows arbitrary code execution via DLL hijacking,  
resulting in escalation of privilege on standard installations of  
Windows.  
  
MARSAgentInstaller.exe version 2.0.9072.0, digitally signed 2017-04-05,  
loads and executes (tested on a fully patched Windows 7 SP1) at least  
the following DLLs from its application directory (typically  
"%USERPROFILE%\Downloads\") instead Windows' system directory  
"%SystemRoot%\System32\": Version.dll, CryptDll.dll, CryptSP.dll,  
UXTheme.dll or DWMAPI.dll, Cabinet.dll  
  
Thanks to the embedded application manifest which specifies  
"requireAdministrator" this results in escalation of privilege on  
standard installations of Windows!  
  
See <https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html>  
<https://capec.mitre.org/data/definitions/471.html>,  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this  
well-known beginner's error.  
  
See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,  
<http://seclists.org/fulldisclosure/2012/Aug/134> and  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
for more information.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,  
download  
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>  
and save it as Cabinet.dll in your "Downloads" directory, then  
copy it as Version.dll, CryptDLL.dll, CryptSP.dll, UXTheme.dll  
and DWMAPI.dll;  
  
2. visit  
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>,  
download  
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>  
and save it in your "Downloads" directory;  
  
3. execute MARSAgentInstaller.exe from your "Downloads" directory;  
  
4. notice the message boxes displayed from the DLLs placed in step 1:  
PWNED!  
  
  
Mitigation & detection:  
~~~~~~~~~~~~~~~~~~~~~~~  
  
* NEVER run executable installers from your "Downloads" directory;  
  
* dump/avoid executable installers, use *.MSI instead!  
  
* see <https://support.microsoft.com/en-us/kb/2533623>,  
<https://technet.microsoft.com/en-us/security/2269637> and  
<https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
* also see <https://skanthak.homepage.t-online.de/verifier.html>  
and <https://skanthak.homepage.t-online.de/!execute.html>  
  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2017-05-18 vulnerability report sent to vendor  
  
2017-05-18 reply from vendor:  
"As described in the Windows library search order process,  
loading binaries from the application directory is by design."  
  
2017-05-18 OUCH!  
The "application directory" can be removed from the library  
search path since Windows Vista and KB2533623!  
See <https://msdn.microsoft.com/en-us/library/hh310515.aspx>  
  
2017-05-26 no reply from vendor since 7 days, report published  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation