nmarley
commented
6 years ago @UdjinM6 @codablock @schinzelh Do you know if this is a Dash issue vs a Windows issue? I would think this more of a Windows configuration than anything.
Open jimbursch opened 7 years ago
nmarley
commented
6 years ago @UdjinM6 @codablock @schinzelh Do you know if this is a Dash issue vs a Windows issue? I would think this more of a Windows configuration than anything.
The following issue was discovered and reported via the Dash Bug Bounty program: https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
It is possible for an attacker that has limited admin privileges (not full admin with UAC) to hijack the installation process of your executable via tampering registry keys belonging to HKCU Hive (current user domain). Your installers require admin privileges (UAC) to install the tool properly but trusts registry keys that can be tampered by underprivileged users in order to perform certain actions. An attacker can tamper these registry keys and trigger a code execution with elevated privileges during the installation and first execution of your software effectively tampering files needed by your product.
Replication steps
Windows OS 7 (tested) for this example - latest (the attack is possible with all browsers installed just different reg key to tamper examples below)
Tempering Registry Keys Attacker (with low privileges admin) tampers the content of the following registry key:
For IE: [HKEY_CURRENT_USER\Software\Classes\IE.HTTP\shell\open\command] [HKEY_CURRENT_USER\Software\Classes\IE.HTTPS\shell\open\command]
For Firefox: [HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell\open\command] [HKEY_CURRENT_USER\Software\Classes\FirefoxURL\shell\open\command] with value: "C:\Users\user1\Desktop\elevate.bat" "%1"
Install your tool: dashcore-0.12.1.5-win64-setup.exe from https://www.dash.org/get-dash/
after installation is over the tool dash is automatically launched but with full admin privileges.
If the user clicks for some reason any active url links inside the dash executable he will launch with full admin (UAC bypass) elevate.bat which can execute malicious actions tampering the installation folder hijacking your own software.
A one liner used in the video will replace the dash-cli.exe with a malicious dash-cli.exe
xcopy /s "C:\Users\user1\Desktop\mal\dash-cli.exe" "C:\Program Files\DashCore\daemon\" /Y
were C:\Users\user1\Desktop\mal\dash-cli.exe is a putty client for PoC purposes
Watch the video attached were a simple .bat script gains elevated admin privileges during your software installation and writes in your software space. REFERENCE NUMBER 22b8626f9839c986b617f17f11b8cad0511b4770af40dbf405864b2fc7471fb7 VRT V1.2 Client-Side Injection > Binary Planting > Privilege Escalation TARGET Dash Core https://github.com/dashpay/dash BUG URL dashcore-0.12.1.5-win64-setup.exe , https://www.dash.org/get-dash/ EXTRA INFO Never trust/rely on resources (registry keys) that can be tampered by underprivileged users when executing a privileged action like the installation of software. Use HKEY_LOCAL_MACHINE Hive instead to identify browsers and navigate to URLs. If you need to link your installer app to an external link (ex. privacy policy page) use a non-elevated executable first and only when real installation/uninstallation starts ask to elevate privileges.
Never launch an app directly after installation as UAC privileges are inherited.