SHAREit for Android Authentication Bypass and Remote File Download

2019-02-26 Thread RedForce Advisory 
RedForce Advisory
https://redforce.io


## ِAdvisory Information
Title: SHAREit For Android <= 4.0.38 Multiple Vulnerabilities
Advisory URL:
https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
Date published: 2019-02-25
Date of last update: 2019-02-25
Vendors contacted: Beijing Shareit Information Technology Co., Ltd.

## Introduction

SHAREit for Android is a popular application used for file transfer
among cross-platform devices using WiFi. It is considered one of the
most popular Android applications with over 500 million downloads
(+950M downloads according to [AndroidRank database]
(https://www.androidrank.org/application/shareit_transfer_share/com.lenovo.anyshare.gps?hl=en)
) .

## Vulnerability Description
SHAREit for Android <= 4.0.38 was found to be prone to multiple high
severity vulnerabilities that enable a remote attacker -on the same
network or joining public "open" WiFi hotspots created by the
application when file transfer is initiated- to download arbitrary
files from user's device including contacts, photos, videos, sound
clips...etc.

Full vulnerability technical details can be found in our advisory (
https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
)

## Proof of Concept
### Quick Demo
https://www.youtube.com/watch?v=Q4kk4FvrH6g

### Full Length Proof of Concept (GUI and AutoPwn modules)
https://www.youtube.com/watch?v=xzoJXBCznWc

### Exploit Code (dubbed DUMPit)
https://github.com/redforcesec/DUMPit/


## Credits
These vulnerabilities were discovered and researched by Abdulrahman Nour
from RedForce.

## About RedForce
RedForce is an information security consultancy firm consists of a
team of experts in the offensive security field. By using the latest
techniques, methodologies and attack simulation from an adversary
prospective, we make sure that your organization is approaching the
best practice to mitigate the risk at the lowest cost. We approach our
offensive services from a holistic approach. Our aim is to contribute
to the efforts of our customers in securing the critical IT
infrastructure and crown jewels within their IT landscape. For more
information, please visit https://redforce.io

Defense in depth -- the Microsoft way (part 60): same old sins and incompetence!

2019-02-26 Thread Stefan Kanthak 
Hi @ll,

Microsoft just announced the general availability of their
"Windows Defender Advanced Threat Protection/Endpoint Protection & Response"
for their "downlevel" operating systems Windows 7 and Windows 8.1:
https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Windows-Defender-ATP-s-EDR-capability-for-Windows-7-and-Windows/ba-p/355535

This announcement ends in

| For more information on how you can onboard Windows 7 and Windows 8.1
| machines, check out our documentation

Let's see what Microsoft wants their customers to "board" onto their
Windows 7 and Windows 8.1 installation: this documentation
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp
lists below the heading
"Install and configure Microsoft Monitoring Agent (MMA) to report
 sensor data to Windows Defender ATP"

| Download the agent setup file: Windows 64-bit agent or Windows 32-bit agent.

The URLs for these downloads are
https://go.microsoft.com/fwlink/?LinkId=828603
https://go.microsoft.com/fwlink/?LinkId=828604


Vulnerability #1


These URLs but redirect to

| HEAD https://go.microsoft.com/fwlink/?LinkId=828604
| HTTP/1.1 302 Moved Temporarily
| Content-Length: 0
| Location: 
http://download.microsoft.com/download/A/E/7/AE709F7E-37F5-473F-A615-42D6F66AE32F/MMASetup-AMD64.exe
| Server: Kestrel
...
| HEAD https://go.microsoft.com/fwlink/?LinkId=828604
| HTTP/1.1 302 Moved Temporarily
| Content-Length: 0
| Location: 
http://download.microsoft.com/download/A/E/7/AE709F7E-37F5-473F-A615-42D6F66AE32F/MMASetup-i386.exe
| Server: Kestrel
...

EVERY man-in-the-middle just LOVES Microsoft! Really!

All their documentation and blogs use HTTPS, but for their downloads
they still use HTTP, allowing almost everybody to fiddle with the
downloads to their hearts content and create havoc!

JFTR: of course these downloads can be fetched via HTTPS too, WITHOUT
  the slightest problem!
  If Microsoft would only know...


Vulnerability #2


Let's continue with
https://download.microsoft.com/download/A/E/7/AE709F7E-37F5-473F-A615-42D6F66AE32F/MMASetup-i386.exe
and see what Microsoft offers in MMASetup-i386.exe:

| LINK.exe /DUMP /HEADERS /DEPENDENTS MMASetup-i386.exe
|
| Dump of file MMASetup-i386.exe
|
| PE signature found
|
| File Type: EXECUTABLE IMAGE
|
| FILE HEADER VALUES
|  14C machine (x86)
|5 number of sections
| 545301EF time date stamp Fri Oct 31 05:28:47 2014

Aaaahhh, a four year old portable executable.
But why does the digital (Authenticode) signature has another
timestamp: "Friday, December 24, 2018, 10:08:18"?

|  Image has the following dependencies:
...
|msvcrt.dll
|COMCTL32.dll
|Cabinet.dll
|VERSION.dll

BINGO! 3 or 4 SURE candidates for DLL hijacking.

But how bad is it? The embedded "application manifest" contains

|  requestedExecutionLevel level="requireAdministrator"

So this a yet another TRIVIAL to exercise "escalation of privilege",
in a piece of software^WJUNK Microsoft ships as "security solution"!


Vulnerability #3


MMASetup-i386.exe is an IExpress-Installer.

|  Debug Directories
...
|  ...  wextract.pdb


According to MULTIPLE mails/statements from Microsoft's MSRC they
don't use this outdated technology (IExpress installers) any more...
REALITY CHECK, PLEASE!


IExpress installers unpack their payload (embedded in a CAB archive,
which itself is embedded as a "resource" in the "portable executable")
into a subdirectory
%TEMP%\IXP000.tmp
and execute a predefined command line there (here: "Setup.exe").
The payload of MMASetup-i386.exe is

| Setup.exe
| MOMAgent.msi
| MOMAgent..mst
...

JFTR: this in turn means that the VULNERABLE wrapper/self-extractor is
  COMPLETELY superfluous: Microsoft could offer the CAB archive
  they embed in MMASetup-.exe for download, and thus
  eliminate vulnerability #2!

There is but yet another vulnerability here: Setup.exe too is (like
ALMOST ALL such executable installers) vulnerable to DLL hijacking,
it loads (at least) MSI.dll from its "application directory"!

When MMASetup-.exe is run under the user account created
during Windows setup, every UNPRIVILEGED (non-elevated) program running
under this account can write to %TEMP%\IXP000.tmp, for example a rogue
MSI.dll, and exercise again an "escalation of privilege".

GAME OVER, third time!


stay tuned (and far away from so-called "security solutions")
Stefan Kanthak