IE 11 Remote Binary Planting (MS16-037)

Microsoft Internet Explorer 11 ships with MSHTML.DLL referencing various DLLs which are not present on a Windows 7 SP1 installation, Windows 10 is not affected (other Windows versions have not been tested).

According to Microsoft “MSHTML.DLL is at the heart of Internet Explorer and takes care of its HTML and Cascading Style Sheets (CSS) parsing and rendering functionality.”

Every application using MSHTML.DLL directly or another DLL which incorporates MSHTML.DLL (like SHELL32.dll) is prone to binary planting (including services running as SYSTEM). So this issue is not restricted to Microsoft applications.

In addition certain applications like Microsoft Word/Excel/Powerpoint/Project/ powershell/… as well as a certain number of third party software are prone to remote binary planting due to using MSHTML.DLL in some ways.

Technical Details

MSHTML.DLL on Windows 7 SP1 has missing dependencies for the following DLLs:

mshtml.dll-dependencies

Since all mentioned DLLs are available on a Windows 10 installation my assumption is that this might be due to developing for Windows 10 and backporting to Windows 7.

Whenever an application is using MSHTML.DLL either directly or via indirect dependencies from SHELL32.DLL for instance it tries to find  API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL using the DLL search order.

If a user and/or a remote attacker is able to control one directory in the system’s DLL search path he can escalate privileges from user to SYSTEM in case of a vulnerable service running as SYSTEM. This happens more often than expected, e.g. if applications are being installed directly below the root directory of the system drive C:\. Examples are Python, Ruby or such.

If a user is tricked to open e.g. a word document from a Windows or even WebDAV share holding additionally a malicious DLL named API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL it is loaded and executed in the user’s context.

Proof-of-Concept Remote Binary Planting

  1. Add a Word document to a share (e.g. hello.docx) accessible from a vulnerable Windows installation.
  2. Add a “malicious” DLL to the same directory and name it api-ms-win-appmodel-runtime-l1-1-0.dll
  3. Mount the remote Windows share on a Windows 7 PC
  4. Double-Click hello.docx (with Microsoft Word or Word Viewer). The “malicious” DLL is loaded and executed in addition to Word.

To create such a DLL one can use Metasploit’s msfvenom. To make it open calc.exe use the following command:

msfvenom

Solution

Microsoft published the following security advisory MS16-037.

Additional Note: The issue is completely fixed only if also MS16-041 is installed!

Advertisements

Dealing with Nmap grepable Output

Recently I had to deal with Nmap grepable output. Of course you can say: Why not using XML and the Nmap Parsers of your favorite scripting language?

Well, if it’s not there you can’t 😉

I needed to get one line per IP and open port, so an nmap line of

192.168.1.64 (server.home.inc) Ports: 21/open/tcp//ftp//FileZilla ftpd 0.9.37 beta/, 80/open/tcp//http//Microsoft IIS httpd 7.5/, 443/open/tcp//https?///, 445/filtered/tcp//microsoft-ds// Ignored State: filtered (65529) Seq Index: 263 IP ID Seq: Incremental

should result in

192.168.1.64,server.home.inc,21
192.168.1.64,server.home.inc,80
192.168.1.64,server.home.inc,443

Therefore I created the following little perl script where one can use regex filters:

#!/usr/bin/perl

use warnings;
use strict;

# note: you have to take the Nmap port output into account for the regex, e.g.
# “open/.+/(ssl|https)” to find open ssl ports
if (@ARGV < 2) {
print “usage: csv-ports.pl <nmap grepable> <regex service filter>\n”;
exit 1;
}

my $file = $ARGV[0];
my $regex = $ARGV[1];

# input format: nmap grepable output
# output:
#             ip1,hostname1,port1
#             ip1,hostname1,port2
#             …

open FILE, “<$file” || die “Cannot open $file”;

while(<FILE>) {
next if /^\n$|^#.*$/; # ignore comments and blank lines
next if /Status/; # ignore status lines
chomp;
# match line
# $1 IP
# $2 hostname
# $3 ports in nmap notation
next if not /^Host: ([\d\.]+) \((.*)\)\tPorts: (.+)(\t.*)*$/;

my $ip = $1;
my $host = $2;
my @ports = split /, /, $3;

foreach my $port (@ports) {
next if $port !~ /$regex/i; # use given regex as filter for ports
$port =~ /^(\d+).*$/;
print “$ip,$host,$1\n”;
} # foreach
} # while

close FILE;

So if you want to get only open ports from the output you simply call

perl csv-ports.pl nmap.gnmap “open/”

Note the trailing slash in the regex, omitting it may result in wrong output if there is “open” included in the version string or such in nmap’s output.

It’s not perfect but it does its job – at least for me 🙂