{"id":3555,"date":"2016-03-26T19:24:45","date_gmt":"2016-03-26T19:24:45","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3555"},"modified":"2016-03-28T10:17:40","modified_gmt":"2016-03-28T10:17:40","slug":"beyond-good-ol-run-key-part-37","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/03\/26\/beyond-good-ol-run-key-part-37\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 37"},"content":{"rendered":"<p>The technique I will describe today is extremely old and well-known yet I don&#8217;t recall writing about it in detail and would probably forget about it completely if not for <a href=\"https:\/\/twitter.com\/infoseckitten\">Nick<\/a> who pinged me about it a whiiiiiiiile ago \ud83d\ude42 Thanks Nick!<\/p>\n<p>The <a href=\"https:\/\/attack.mitre.org\/wiki\/Path_interception\">path interception<\/a> is a vulnerability type which is abused by both malware and <a href=\"http:\/\/www.commonexploits.com\/unquoted-service-paths\/\">pentesters<\/a>. The most common example of this vulnerability on Windows platform relies on dropping &#8220;c:\\program.exe&#8221; and waiting for a service or other application to be launched from a path that was not quoted. When quotes are not used the given path is traversed and anytime a blank character is encountered the OS will attempt to execute any program that happens to be matching the substring being part of the traversed path.\u00a0 Sounds complicated.<\/p>\n<p>In other words.<\/p>\n<ul>\n<li>&#8220;C:\\program Files\\foo bar\\file.exe&#8221;<\/li>\n<\/ul>\n<p>is not equal to<\/p>\n<ul>\n<li>C:\\program Files\\foo bar\\file.exe<\/li>\n<\/ul>\n<p>In a first case, the path is given in a precise way with no room for error. OS will attempt to launch only one program.<\/p>\n<p>In a second, the OS will attempt to launch:<\/p>\n<ul>\n<li>C:\\program.exe<\/li>\n<\/ul>\n<p>first, then:<\/p>\n<ul>\n<li>C:\\program Files\\foo.exe<\/li>\n<\/ul>\n<p>and eventually:<\/p>\n<ul>\n<li>C:\\program Files\\foo bar\\file.exe<\/li>\n<\/ul>\n<p>Nowadays users can&#8217;t freely write to these paths, so to leverage it one needs to explore all the existing autostart locations on the system and find a combo of both an unquoted path + a writable directory that enable the exploit to work.<\/p>\n<p>It&#8217;s a simple, yet powerful way not only to gain persistence, but in some cases to elevate privileges as well.<\/p>\n<p>A DLL variant of this vulnerability can rely on adding a new startup entry (or leveraging an existing one) that would point to clean components only (f.ex. a clean rundll32.exe loading an existing, clean system DLL).<\/p>\n<p>Let&#8217;s look at an example &#8211; we could add something like this to HKCU\\&#8230;\\Run:<\/p>\n<ul>\n<li>rundll32.exe c:\\Program Files\\Internet Explorer\\ieproxy.dll<\/li>\n<\/ul>\n<p>and then drop:<\/p>\n<ul>\n<li>c:\\Program.dll<\/li>\n<\/ul>\n<p>or<\/p>\n<ul>\n<li>c:\\Program Files\\Internet.dll<\/li>\n<\/ul>\n<p>which rundll32.exe would then hopefully load for us.<\/p>\n<p>There is a little caveat though, the rundll32.exe checks if the second token (obtained by splitting the command line arguments using blank characters as a delimiter &#8211; and in our case &#8216;Files\\Internet.dll&#8217;) contains a path separator character (&#8216;\\&#8217;, or &#8216;\/&#8217;). If it does, rundll32 assumes it is an incorrect command line and exits. So, the above example doesn&#8217;t work.<\/p>\n<p>To bypass it, one could use a root path with more than one space. The old folder name &#8216;C:\\Document and Settings&#8217; works perfectly here, but it is a legacy path that may not be the best choice for new systems. For these systems (and since most of new computers are now 64-bit) we can use &#8216;c:\\Program Files (x86)&#8217; (first token: &#8216;c:\\Program&#8217;, second token: &#8216;Files&#8217;).<\/p>\n<p>If you see a string like the below in the Registry under HKCU\\&#8230;\\RUN:<\/p>\n<ul>\n<li>&#8220;C:\\Windows\\System32\\rundll32.exe&#8221; c:\\Program Files\\Internet Explorer\\ieproxy.dll<\/li>\n<\/ul>\n<p>it may not raise the immediate suspicion. The real-case scenario could go even further and use even more ambiguous path f.ex. one belonging to a graphic card, or a sound card.<\/p>\n<p>Running the aforementioned entry from a command line will get you the following message:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3556 size-medium\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program-300x161.png\" alt=\"rundll_program\" width=\"300\" height=\"161\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program-300x161.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program.png 342w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>This is because rundll32.exe attempts to load C:\\program.dll.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3557\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program2-300x24.png\" alt=\"rundll_program2\" width=\"400\" height=\"33\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program2-300x24.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/rundll_program2.png 662w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a><\/p>\n<p>As such, dropping c:\\&lt;DLL name exploiting path truncation&gt;.dll will give you a lame persistence (lame, because you still need to either find an existing, or add a clean entry to a startup location + need to write to C:\\ drive &#8211; this could have worked 10 years ago, but not today \ud83d\ude42 ).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The technique I will describe today is extremely old and well-known yet I don&#8217;t recall writing about it in detail and would probably forget about it completely if not for Nick who pinged me about it a whiiiiiiiile ago \ud83d\ude42 &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/26\/beyond-good-ol-run-key-part-37\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3555"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3555"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3555\/revisions"}],"predecessor-version":[{"id":3575,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3555\/revisions\/3575"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}