`Hi @ll,
MARSAgentInstaller.exe, the Microsoft Azure Recovery Services Agent,
available via
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>
from
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>
is vulnerable: it allows arbitrary code execution via DLL hijacking,
resulting in escalation of privilege on standard installations of
Windows.
MARSAgentInstaller.exe version 2.0.9072.0, digitally signed 2017-04-05,
loads and executes (tested on a fully patched Windows 7 SP1) at least
the following DLLs from its application directory (typically
"%USERPROFILE%\Downloads\") instead Windows' system directory
"%SystemRoot%\System32\": Version.dll, CryptDll.dll, CryptSP.dll,
UXTheme.dll or DWMAPI.dll, Cabinet.dll
Thanks to the embedded application manifest which specifies
"requireAdministrator" this results in escalation of privilege on
standard installations of Windows!
See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
well-known beginner's error.
See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it as Cabinet.dll in your "Downloads" directory, then
copy it as Version.dll, CryptDLL.dll, CryptSP.dll, UXTheme.dll
and DWMAPI.dll;
2. visit
<https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>,
download
<https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe>
and save it in your "Downloads" directory;
3. execute MARSAgentInstaller.exe from your "Downloads" directory;
4. notice the message boxes displayed from the DLLs placed in step 1:
PWNED!
Mitigation & detection:
~~~~~~~~~~~~~~~~~~~~~~~
* NEVER run executable installers from your "Downloads" directory;
* dump/avoid executable installers, use *.MSI instead!
* see <https://support.microsoft.com/en-us/kb/2533623>,
<https://technet.microsoft.com/en-us/security/2269637> and
<https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
* also see <https://skanthak.homepage.t-online.de/verifier.html>
and <https://skanthak.homepage.t-online.de/!execute.html>
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-05-18 vulnerability report sent to vendor
2017-05-18 reply from vendor:
"As described in the Windows library search order process,
loading binaries from the application directory is by design."
2017-05-18 OUCH!
The "application directory" can be removed from the library
search path since Windows Vista and KB2533623!
See <https://msdn.microsoft.com/en-us/library/hh310515.aspx>
2017-05-26 no reply from vendor since 7 days, report published
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation