Hi @ll,

on Windows 7 (I did not check other versions of Windows, but I'm
confident that the underlying bug is present in Windows Vista,
Windows Server 2008 [R2], Windows 8[.1] and Windows Server 2012 [R2],
i.e. all versions of Windows NT6.x too) the system utilities MMC.exe
and DrvInst.exe load and execute a DLL named ".dll", resulting in
escalation of privilege.

Since no system DLL by the name ".dll" exists it is loaded via the DLL
search path (see <https://msdn.microsoft.com/en-us/library/ms682586.aspx>)


Proof of concept for MMC.exe:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   (see <http://home.arcor.de/skanthak/sentinel.html> for details)
   and save it as .DLL ['] in an arbitrary directory of your choice;

2. add this directory to the user's (not the system's) PATH [²];

3. download the current Realtek PCIexpress ethernet NIC driver from
   <http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0012-Install_Win7_7097_11232015.zip>
   (via <http://www.realtek.com/downloads/>);

4. open the downloaded 0012-Install_Win7_7097_11232015.zip and
   extract the contents of the "directory"
      Install_Win7_7097_11232015\WIN7\32
   from the .ZIP to an(other) arbitrary directory of your choice;

5. start device manager (i.e. MMC.exe DevMgmt.msc) [³] and install
   the Realtek ethernet NIC driver from the directory choosen in
   step 4;

6. sse the message box displayed from DllMain() of the loaded .DLL [']


Proof of concept for DrvInst.exe:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   (see <http://home.arcor.de/skanthak/sentinel.html> for details)
   and save it as .DLL ['] in an arbitrary directory of your choice;

2a. add this directory to the system's PATH
    (yes, this requires administrative privileges [³]);

    OR

2b. run the following 2 commands to "copy" the downloaded .DLL to
    %SystemRoot%\System32:

    MakeCab.exe .DLL "%TEMP%\dummy.cab"
    WUSA.exe "%TEMP%\dummy.cab" /Extract:%SystemRoot%\System32

    (yes, this requires administrative privileges [³]);

3. download the Realtek card reader driver from
   <http://global-download.acer.com/GDFiles/Driver/CardReader/CardReader_Realtek_6.3.9600.21257_W7x64_A.zip>
   (via <http://support.acer.com/downloads/>)

4. open the downloaded CardReader_Realtek_6.3.9600.21257_W7x64_A.zip
   and extract the contents of the "directory"
      CardReader_Realtek_6.3.9600.21257_W7x64\DrvBin32
   from the .ZIP to an(other) arbitrary directory of your choice;

5. start device manager (i.e. MMC.exe DevMgmt.msc) [²] and install
   the Realtek card reader driver from the directory choosen in
   step 4;

6. start event viewer (i.e. MMC.exe EventVwr.msc) [²] and find the
   event log entry from source "Vulnerability and Exploit Detector"
   generated from DllMain() of the loaded .DLL ['] (DrvInst.exe
   runs in the non-interactive "session 0", so SENTINEL.DLL doesn't
   display a message box and writes an event log entry only).


stay tuned
Stefan Kanthak


['] yes, that's a valid Win32 filename; a DLL named ".dll" is loaded
    via the following (obviously erroneous) calls of Win32 API
    functions:
    * LoadLibraryA(""),
    * LoadLibraryA(L"<arbitrary UNICODE string>"),
    * LoadLibraryW(L""),
    * LoadLibraryExA("", ...),
    * LoadLibraryExA(L"<arbitrary UNICODE string>", ...),
    * LoadLibraryExW(L"", ...)

    The most probable cause is feeding of a UNICODE string to the
    ANSI functions.

    This bug may be triggered via other execution paths in MMC.exe,
    via installation of other drivers or via other .MSC too!

PS: %SystemRoot%\System32\WBEM\WMIPrvSE.exe and SysInternals VMMap.exe
    show this bug too!

[²] of course the system's PATH may be used instead, or the method
    shown in step 2b. for the DrvInst.exe exploit.

[³] in Windows' default configuration this does NOT trigger the user
    account control!