Beyond good ol’ Run key, Part 127 + TestHooks bonus

Posted on by

I usually try my best to post a completed work here, so please treat this post as an exception just to prove a general rule 🙂 I only stumbled upon it today and seeing opportunities it may offer I got too excited to wait and have to post it even if I know lots of work still needs to be done.

Today I noticed that Windows Update (and also SIHClient.exe) are referencing a Registry key:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test

I love testing-related registry entries as they usually lead to interesting discoveries. For instance, many Windows services refer to TestHooks entries that enable various debugging features e.g. you can set HKLM\SECURITY\test\TestHooks\Volatile\TreatDeviceAsXbox to 1 to make your OS look like XBOX.

Anyway…

So once I found out about that Test key I started digging. I quickly discovered that the service is trying to read a value of:

  • HKLM\…\WindowsUpdate\Test\AlternateTestCabPath

I added this value and pointed it to c:\test, and soon after I was able to confirm that Windows Update is now trying to read C:\test\autest.cab.

With these two keywords I went to look at the code and discovered that:

  • C:\test\autest.cab must include a file autest.txt
  • autest.txt must include text:
Windows Update Test Key Authorization File
yyyy-mm-ddThh:mm:ss
  • and the autest.cab must be signed

You can create a test CAB file using makecab:

makecab autest.txt autest.cab

My tests stopped here at the moment. Almost. I noticed that the signature check can be possibly bypassed via ShouldIgnoreTrustVerificationError routine (name is from symbols).

Coming back to the main point of this post: once these conditions are met, a number of test features will be enabled.

Since I describe it in the Beyond the good ol’ Run key series, let’s start with the persistence tricks. There are 3 of them, at least.

If any of these entries are present under:

  • HKLM…\WindowsUpdate\Test\EventerHookDll = <path>
  • HKLM…\WindowsUpdate\Test\AllowTestEngine = <path>
  • HKLM…\WindowsUpdate\Test\AlternateServiceStackDLLPath = <path>

… these DLLs will be loaded by Windows Update (that will be running in a test mode).

There are many other very interesting options under this Test key node and these I could quickly name are as follows:

  • AllowAdmin
  • AllowNonPPL
  • IsStateSeparationEnabled
  • AllowTestEngine
  • SLSNoCache
  • SLSExpireContent
  • SLSFixedURL
  • SLSWriteRequestToRegistry
  • SLS
  • SLSCDNXML
  • SLSResponseCabOverridePath
  • SLSExpireSecsInADay
  • ImpersonateDefApps
  • SubCAOverrides
  • SkipQuorumSignatureChecks
  • ForceGetNewAgentToken
  • TargetServiceForAuthTicket
  • ForceAddTicketsToFail
  • TestACLineStatus
  • TestBatteryFlag
  • TestBatteryLifePercent
  • ForceHandlersInproc
  • AllowAllReadinessLevelsForFlighting
  • SecsInADay
  • UseWUServer
  • UseDeploymentProvider
  • ECPFailOptimizedUpdateDownloadAtIndex
  • Security\HashSubstitution
  • CallbackEventExpirationAge
  • IsInOOBE
  • PRECacheDir
  • TreatInstallAsUninstallInOfflineCab
  • AllowShutdownWhileDebugging
  • AppxHandler\DataSourceScheme
  • AppxHandler\DataSourceClsid
  • RecordTSCallResult
  • Policies\WindowsUpdate
  • Policies\WindowsUpdate\AU
  • IsAoAcDevice
  • EnableCSSimulator
  • Download
  • BatchFlushAgeSus
  • SamplingValueThresholdOverride
  • DetectSamplingValueThresholdOverride
  • AppCategoryCacheLifetime
  • RequestCompression
  • TestClientToken
  • UseBasicAuthProvider
  • DeviceAttributes
  • DisableCatScan
  • AlwaysFireScanEvent
  • DisableDOUsage
  • DisableRegulation
  • SLSBlockAsyncRefreshOnExpire
  • SlsExpireCache
  • SLSNoCache
  • AllowSystemDriveAsExternalVolume
  • ElevateNonAdmins
  • DisableWindowsUpdateAccess
  • NoAppXCaching
  • BlockedClientIds
  • AssumeCostedNw
  • RevisionsChangeContent
  • NoAppStreaming
  • AreMSPreferredUpdatesExemptedOverride
  • UpdateState
  • MOOverrides
  • AppxHandler\CacheLifetimeSecondsOverride
  • ForcedIdleShutdown
  • Download\MSPreferredClassificationIdsOverride
  • MaxAppDownloadJobSize
  • AlternateUpdateApprovalList
  • MOLimitsInKB
  • SkipLoadingReserveManager
  • TreatNewUpdatesAsChangedOrOutOfScopeUpdatesInOfflineCab
  • ForceUserProxyForReporting
  • WSUSInventoryTestServer
  • InventoryCabPath
  • ProcessHandlerResult
  • DeviceAttributes
  • CbsHandler\MaxRequests
  • CbsHandler\DpxResumeFirstResult
  • CbsHandler\DpxResumeNextResults
  • SystemSpecNode\HWID
  • HardwareIdOverride
  • DriverRecoveryIDs
  • DriverQuery-ProblemCode
  • DriverQuery-ProblemStatus
  • DriverQuery-Reboot
  • WinSetupHandlerCacheLifetimeSecondsOverride
  • WinSetupHandlerSkipCrossSessionRegistration
  • HandlerSecsInADay
  • BreakOnHandlerInstallCall
  • TestCert
  • AllowAllReadinessLevelsForFlighting
  • UseDeploymentProvider

I will lie if I say that I know what all of it means, but some of these name imply that with the test settings you could potentially use alternative Cert Store, DNS settings, allow any SSL connection, downgrade hashes to SHA1, override a number of policies, elevate non-admins, and even download files from different urls (e.g. whatever is under InventoryCabPath is downloaded to the system, if exists) etc.

All in all, this is a tip of the iceberg, and once properly researched it may enable avenues for more clandestine C2, persistence and perhaps even lateral movement tricks (adding keys to the remote registry will make Windows Update download/load code for you).

Certulitis – one tool that keeps on giving

Posted on by

Update

EC who is one of the most technical guys I know pinged me because he figured out the meaning of that 0x00FB switch, The idea behind it is Windows archeology at its best and it goes as follows:

The code page your windows terminal uses is 437. Endash (‘–’) is an ASCII character 150 (0x96). When this character is inputted on terminal using code page 437 it will be mapped to ‘û’ which is code 0xFB.

How to use it with certutil?

You can run:

certutil ALT+150<command of your choice>

Old Post

Certutil is a really naughty tool. It accepts lots of various command line arguments that I believe are not widely known – and this post (and maybe some follow-up posts) is hoping to change that.

One of the first things I caught when I started analysing its command line arguments was the mysterious, case-insensitive command line argument comparison with the ‘uSAGE’ string. It turns out that certutil offers two different usage information depending on a command line option. If you just use ‘?’ then it’s the ‘official’ version. If it’s ‘uSAGE’ then it’s the unofficial one. Of course, once I found out I ran into Google and Twitter to find out if it is IN THE KNOWN.

Yes, it was. @0gtweet did it my favourite way – the hard way :-), @dunarth did it the right way, and @chris_ayres did it the earliest way (AFAICT).

Okay, with this out of the way, we look at the actual command line arguments.

Wait. What about the command line switches? Similarly to PowerShell, certutil accepts command line arguments using a number of different characters:

  • / (Unicode 0x002F)
  • – (Unicode 0x002D)
  • (Unicode 0x2013)
  • (Unicode 0x2212)
  • ? (Unicode 0x00FB)

I still can’t figure out why the last Unicode character on that list is being accepted. The Unicode character 0x00FB is ‘û’. If you know, please let me know and I will update the post.

Another discovery is brought to us by two unusual environment variables:

  • certsrv_rawhex – shows stuff in raw hex (e.g. certs)
  • CertSrv_Chain – enables debugging information being available for cert chain
  • CERTSRV_LOGMAX – maximum length of the certutil.log file
  • CERTSRV_DEBUG – enables certutil debug mode
  • CERTSRV_LOGFILE – name of the log file

The ‘certutil.log’ file is a log file that is created if DbgIsSSActive function imported from ‘certcli.dll’ which forwards it to ‘certca.dll’ returns true. I am kidding, it’s a convoluted way to say that certain conditions need to be met for the ‘certutil.log’ to be created, They can be either set via Registry (HKLM\Software\Microsoft\Cryptography\AutoEnrollment\Debug=XXX OR HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Debug=XXX), or via environment variables listed below.

In fact, setting 

set CERTSRV_LOGFILE=c:\test\foo.log
set CERTSRV_DEBUG=0xFFFFFFFF

will enable full logging to your main console and to the file c:\test\foo.log.

Pick up your favorite certutil command and give it a go. You will like the output as it helps to troubleshoot your manual testing 🙂

Finally, while certutil is primarily a command line application, it does create a windows called ‘CertUtil Application’ of class ‘CertUtil’, and apart from it, provides a UI for some of its commands (e..g -URL).