RE: [Full-Disclosure] Flaws security feature of SP2

• Previous message: Noam Rathaus: "Re: [Full-Disclosure] some small bugs."
• Maybe in reply to: Juergen Schmidt: "[Full-Disclosure] Flaws security feature of SP2"
• Next in thread: Barrie Dempster: "Re: [Full-Disclosure] Flaws security feature of SP2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Mon, 16 Aug 2004 07:23:21 -0400

-----Original Message-----
From: Juergen Schmidt [mailto:ju@heisec.de]
Sent: Monday, August 16, 2004 3:41 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Flaws security feature of SP2

Author: Jürgen Schmidt, heise Security
Date: August 13,2004
German Advisory: http://www.heise.de/security/artikel/50046
English Version: http://www.heise.de/security/artikel/50051

Overview
--------
With Service Pack 2, Microsoft introduces a new
security feature to warn users before executing
files that originate from an untrusted location (zone)
such as the Internet.

There are two flaws in the implementation of this
feature: a cmd issue and the caching of ZoneIDs in
Windows Explorer. The Windows command shell cmd ignores
zone information and starts executables without
warnings. Virus authors could use this to spread
viruses despite the new security features of SP2.

Windows Explorer does not update zone information
properly when files are overwritten. So it can be
tricked to execute files from the internet without
warning.

Background
----------
Internet Explorer and Outlook Express mark files that
are downloaded from the internet or saved from an
e-mail with a Zone Identifier (ZoneID), which reflects
the security zone from which it originates. The ZoneIDs
correspond to the Internet Explorer security
zones. This information is saved in an Additional Data
Stream (ADS) of the file. ADS are a feature of the NTFS
filesystem. ADS with ZoneIDs are named Zone.Identifier
and can be viewed and modified with Notepad by opening
":Zone.Identifier".

When a user tries to execute a file downloaded from the
internet and therefore has been given ZoneID=3 at a
later point, he is prompted with a warning. The ADS is
persistent even if the file is moved, as long as it
stays on NTFS drives. Windows built-in ZIP utilities
honor ZoneIDs and for example do not extract executable
files from archives with a ZoneID greater than or equal
to 3.

1. The cmd Issue
----------------
Description

The command shell cmd.exe ignores the ZoneID of
files. The command

cmd /c evil.exe

executes the file evil.exe without warning, regardless
of its ZoneID. Even worse: If an executable file is
saved as evil.gif, the command

cmd /c evil.gif

will launch the programm without any warning despite
its ZoneID being 3. This is true for any file
extension. The execution of files through cmd
regardless of its extension is not new in SP2. It works
with every version of Windows XP.

Note: By default users are not allowed to save
"dangerous" files (i.e. files with extensions like
.exe) in Outlook Express. But they can save executables
with other file extensions such as .gif. Explorer and
Outlook Express display them as image. Opening
(i.e. double clicking) those files in Explorer results
in the launch of the registered file handler, in this
case the image viewer.

Attack vector

Exploitation of this issue reqeuires some user
interaction -- at least as long as nobody comes up with
a way to execute cmd.exe with parameters from within
Outlook Express or Internet Explorer. But viruses doing
"social engeneering" are a common place by now. Bagle &
Co asked users to enter a password to decode encrypted
attachments. Therefore a virus author could create an
e-mail worm like this:

--
Attached: access.gif
Hello,
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&drop the file into the new window and hit
return. cmd will descramble the file for you.
--
If the user follows these instructions, the attached
file is executed without any warning.
This might even deceive some of the more experienced
users, because they do not expect files with extensions
like "gif" to carry executable content and to be
executed in such a simple manner.
Additionally this method will evade some antivirus
software, which only scans/blocks files with extensions
which it knows to be potentially dangerous.
2. Windows Explorer caching of ZoneIDs
--------------------------------------
Description
Windows Explorer caches the result of ZoneID
lookups. If a file is overwritten, Explorer does not
properly update this cached information to reflect the
new ZoneID. This allows spoofing of trusted or
non-existant ZoneIDs by overwriting files with trusted
or non-existent ZoneIDs.
The following steps illustrate the problem.
   1. Copy notepad to a new file.
   > copy c:\windows\notepad.exe test.exe
      You may also use Explorer to copy the file.
   2. Open test.exe in Explorer: no warning.
   3. evil.exe is a file saved from an e-mail
      attachment and has ZoneID=3.  Check with your
      editor by opening "evil.exe:Zone.Identifier". It
      displays: ZoneID=3 Open evil.exe in Explorer: you
      will be warned.
   4. Overwrite the copy of notepad.exe:
   > copy evil.exe test.exe
      test.exe:Zone.Identifier displays: ZoneID=3
   5. Open test.exe in Explorer: no warning!
      test.exe is launched without warning despite of
      its ZoneID=3. In the file properties, Explorer
      shows the correct notice about its origin, but
      for opening the file the old ZoneID-status is
      used.
   6. Doublecheck: Kill the Explorer task, restart it
      and launch test.exe: you will be warned.
Attack vector
Exploiting this issue requires the ability to overwrite
existing files wich have a trusted or non-existant
ZoneID. Right now there is no known way to achieve this
in an attack mounted from the Internet.
Vendor status
-------------
heise Security has notified Microsoft about both issues
on August 12. Microsoft Security Response Center
responded:
"We have investigated your report, as we do with all
reports, however in this case, we don't see these
issues as being in conflict with the design goals of
the new protections. We are always seeking improvements
to our security protections and this discussion will
certainly provide additional input into future security
features and improvements, but at this time we do not
see these as issues that we would develop patches or
workarounds to address."
You find some personal thoughts about this response in
the latest comment on heise Security: Microsoft: A
matter of trust,
http://www.heise.de/security/artikel/50054
-- 
Juergen Schmidt    Chefredakteur  heise Security   www.heisec.de
Heise Zeitschriften Verlag,  Helstorferstr. 7,  D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417    EMail ju@heisec.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
***************************************************************
NOTICE OF CONFIDENTIALITY
This E-mail message and its attachments (if any) are intended
solely for the use of the addressee hereof. In addition, this 
message and the attachments (if any) may contain information 
that is confidential, privileged and exempt from disclosure 
under applicable law. If you are not the intended recipient of 
this message, you are prohibited from reading, disclosing, 
reproducing, distributing, disseminating or otherwise using 
this transmission. Delivery of this message to any person other 
than the intended recipient is not intended to waive any right 
or privilege. If you have received this message in error, please 
promptly notify the sender by reply E-mail and immediately delete 
this message from your system.
*************************************************************************************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Noam Rathaus: "Re: [Full-Disclosure] some small bugs."
• Maybe in reply to: Juergen Schmidt: "[Full-Disclosure] Flaws security feature of SP2"
• Next in thread: Barrie Dempster: "Re: [Full-Disclosure] Flaws security feature of SP2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]