Microsoft .NET Framework 4.7 DLL Hijacking

`Hi @ll,  
  
the executable installers for .NET Framework 4.7 (released about  
2 months ago)  
  
* NDP47-KB3186500-Web.exe,  
Microsoft .NET Framework 4.7 (Web Installer) for Windows 7 SP1 etc.,  
available from <https://www.microsoft.com/en-us/download/details.aspx?id=55170>,  
  
* NDP47-KB3186497-x86-x64-AllOS-ENU.exe,  
Microsoft .NET Framework 4.7 (Offline Installer) for Windows 7 SP1 etc.,  
available from <https://www.microsoft.com/en-us/download/details.aspx?id=55167>,  
  
* NDP47-KB3186497-x86-x64-AllOS-DEU.exe,  
Microsoft .NET Framework 4.7 Sprachpaket (Offlineinstaller) fur Windows 7 SP1 etc,  
available from <https://www.microsoft.com/de-de/download/details.aspx?id=55169>,  
  
* NDP47-DevPack-KB3186612-ENU.exe,  
Microsoft .NET Framework 4.7 Developer Pack and Language Packs for Windows 7 SP1 etc.,  
available from <https://www.microsoft.com/en-US/download/details.aspx?id=55168>,  
  
are vulnerable: they allow arbitrary code execution via DLL hijacking,  
resulting in escalation of privilege.  
  
On a fully patched Windows 7 SP1 (which has a market share around 50%)  
NDP47-KB3186500-Web.exe, NDP47-KB3186497-x86-x64-AllOS-ENU.exe and  
ALL language packs NDP47-KB3186497-x86-x64-AllOS-???.exe load at  
least the following DLLs from their application directory (typically  
%USERPROFILE%\Downloads\) instead Windows' system directory  
%SystemRoot%\System32\ and execute their DllMain() routine:  
Cabinet.dll, Version.dll, CryptDll.dll, CryptSP.dll, NTMARTA.dll,  
UXTheme.dll, DWMAPI.dll  
  
NDP47-DevPack-KB3186612-ENU.exe loads least the following DLLs from its  
application directory (typically %USERPROFILE%\Downloads\) instead  
Windows' system directory %SystemRoot%\System32\ and executes their  
DllMain() routine:  
Cabinet.dll, MSI.dll, Version.dll, SPP.dll, VSSAPI.dll, ATL.dll,  
VSSTrace.dll, NTMARTA.dll, UXTheme.dll, DWMAPI.dll, CryptSP.dll,  
RPCRTRemote.dll  
  
  
See <https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html>  
<https://capec.mitre.org/data/definitions/471.html>,  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this  
well-known beginner's error.  
  
  
See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,  
<http://seclists.org/fulldisclosure/2012/Aug/134> and  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
for more information.  
  
JFTR: it's a shame that these installers, built 2017-04-22, still  
show this 20+ year old beginner's error!  
  
  
For NDP47-KB3186500-Web.exe and NDP47-KB3186497-x86-x64-AllOS-???.exe  
this results thanks to their embedded application manifest which  
specifies "requireAdministrator" in escalation of privilege.  
  
NDP47-DevPack-KB3186612-ENU.exe achieves the escalation of privilege  
with a call of itself via "RunAs".  
  
  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>  
and save it as UXTheme.dll in your "Downloads" directory;  
  
2. copy the downloaded UXTheme.dll as Version.dll, Cabinet.dll etc.  
(see the list of DLL names above);  
  
3. download  
<https://download.microsoft.com/download/A/E/A/AEAE0F3F-96E9-4711-AADA-5E35EF902306/NDP47-KB3186500-Web.exe>,  
<https://download.microsoft.com/download/D/D/3/DD35CC25-6E9C-484B-A746-C5BE0C923290/NDP47-KB3186497-x86-x64-AllOS-ENU.exe>,  
<https://download.microsoft.com/download/8/3/8/838A8A52-67BA-4F1C-BA95-FABBA994352C/NDP47-KB3186497-x86-x64-AllOS-DEU.exe>,  
...,  
<https://download.microsoft.com/download/A/1/D/A1D07600-6915-4CB8-A931-9A980EF47BB7/NDP47-DevPack-KB3186612-ENU.exe>,  
and save them in your "Downloads" directory;  
  
4. run the downloaded NDP47-*.exe and notice the message boxes displayed  
from the DLLs: PWNED!  
  
  
Mitigation & detection:  
~~~~~~~~~~~~~~~~~~~~~~~  
  
* NEVER run executable installers from your "Downloads" directory;  
  
* dump/avoid executable installers, use *.MSI instead!  
  
* stay FAR away from software written by sloppy coders who don't  
know their target platform, and ignore their own companies  
guidelines/recommendations!  
  
* see <https://support.microsoft.com/en-us/kb/2533623>,  
<https://technet.microsoft.com/en-us/security/2269637> and  
<https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
* also see <https://skanthak.homepage.t-online.de/verifier.html>  
and <https://skanthak.homepage.t-online.de/!execute.html>  
  
* dump .NET Framework alltogether!  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2017-06-13 vulnerability report sent to vendor  
  
2017-06-13 reply from vendor:  
"MSRC case 39179 opened"  
  
2017-06-21 reply from vendor:  
"We have investigated the issue and determined it does not  
warrant an explicit fix for down level products. [...]  
Loading binaries from the application directory is a by  
design functionality of the Windows library search order  
process."  
  
2017-06-21 OUCH!  
The "application directory" can be removed from the library  
search path since Windows Vista and the update KB2533623!  
See <https://msdn.microsoft.com/en-us/library/hh310515.aspx>  
or <https://msdn.microsoft.com/en-us/library/ms684179.aspx>.  
Which DLLs do the installers need or expect to load from  
their "application directory"?  
  
2017-06-28 no reply from vendor since 7 days, report published  
  
  
  
`