Microsoft Azure Recovery Services Agent DLL Hijacking
Posted on 31 May 2017
Hi @ll, MARSAgentInstaller.exe, the Microsoft Azure Recovery Services Agent, available via <https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi> from <https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe> is vulnerable: it allows arbitrary code execution via DLL hijacking, resulting in escalation of privilege on standard installations of Windows. MARSAgentInstaller.exe version 2.0.9072.0, digitally signed 2017-04-05, loads and executes (tested on a fully patched Windows 7 SP1) at least the following DLLs from its application directory (typically "%USERPROFILE%Downloads") instead Windows' system directory "%SystemRoot%System32": Version.dll, CryptDll.dll, CryptSP.dll, UXTheme.dll or DWMAPI.dll, Cabinet.dll Thanks to the embedded application manifest which specifies "requireAdministrator" this results in escalation of privilege on standard installations of Windows! See <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> <https://capec.mitre.org/data/definitions/471.html>, <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this well-known beginner's error. See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>, <http://seclists.org/fulldisclosure/2012/Aug/134> and <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> for more information. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <https://skanthak.homepage.t-online.de/sentinel.html>, download <https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL> and save it as Cabinet.dll in your "Downloads" directory, then copy it as Version.dll, CryptDLL.dll, CryptSP.dll, UXTheme.dll and DWMAPI.dll; 2. visit <https://support.microsoft.com/en-us/help/4020540/fix-the-microsoft-recovery-services-agent-cannot-connect-to-the-obengi>, download <https://download.microsoft.com/download/9/A/9/9A92B144-3F87-45E1-BD63-C1E9431F2CC0/MARSAgentInstaller.exe> and save it in your "Downloads" directory; 3. execute MARSAgentInstaller.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1: PWNED! Mitigation & detection: ~~~~~~~~~~~~~~~~~~~~~~~ * NEVER run executable installers from your "Downloads" directory; * dump/avoid executable installers, use *.MSI instead! * see <https://support.microsoft.com/en-us/kb/2533623>, <https://technet.microsoft.com/en-us/security/2269637> and <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> * also see <https://skanthak.homepage.t-online.de/verifier.html> and <https://skanthak.homepage.t-online.de/!execute.html> stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-05-18 vulnerability report sent to vendor 2017-05-18 reply from vendor: "As described in the Windows library search order process, loading binaries from the application directory is by design." 2017-05-18 OUCH! The "application directory" can be removed from the library search path since Windows Vista and KB2533623! See <https://msdn.microsoft.com/en-us/library/hh310515.aspx> 2017-05-26 no reply from vendor since 7 days, report published
