{"id":107635,"date":"2023-01-03T07:00:00","date_gmt":"2023-01-03T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=107635"},"modified":"2022-12-15T16:29:30","modified_gmt":"2022-12-16T00:29:30","slug":"20230103-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20230103-00\/?p=107635","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Gaining code execution from a Trojan horse"},"content":{"rendered":"<p>A security vulnerability report arrived that went roughly like this:<\/p>\n<blockquote class=\"q\">\n<p>The Xyz object can be used to execute arbitrary command lines.<\/p>\n<ul>\n<li><code>LoadLibrary(L\"xyz.dll\");<\/code><\/li>\n<li><code>GetProcAddress<\/code> for <code>DllGetClassObject<\/code>.<\/li>\n<li>Call <code>DllGetClassObject<\/code> with <code>CLSID_Xyz<\/code> and <code>IID_IXyz<\/code>.<\/li>\n<li>From the resulting object, call <code>IXyz::Initialize<\/code>, and then <code>IXyz::Execute<\/code>.<\/li>\n<\/ul>\n<\/blockquote>\n<p>So far, we don&#8217;t have any statement of vulnerability. Sure, the Xyz object can be used to execute arbitrary command lines, but how is that a security vulnerability?<\/p>\n<p>We asked the finder some questions to clarify the nature of the alleged vulnerability.<\/p>\n<blockquote class=\"q\">\n<p>Q: What is the attack vector?<\/p>\n<p>A: The attack vector is a Trojan horse executable. The victim needs to double-click the executable, which triggers the exploit.<\/p>\n<p>Q: Is there elevation of privilege?<\/p>\n<p>A: Not at this time.<\/p>\n<p>Q: Is this remote code execution.<\/p>\n<p>A: Essentially, it is not. The exploit must be downloaded to the victim machine in order to proceed with the attack.<\/p>\n<p>Q: As a result of this exploit, what can the attacker do that they couldn&#8217;t do without this issue?<\/p>\n<p>A: I don&#8217;t know. I am not a professional attacker. The main attack technique is as described in the original report. I think I explained it like this.<\/p>\n<\/blockquote>\n<p>What we have is another case of <a title=\"It rather involved being on the other side of this airtight hatchway: Executable corruption\" href=\"https:\/\/devblogs.microsoft.com\/oldnewthing\/20070807-00\/?p=25683\"> if I can trick you into running my program, then I have gained code execution<\/a>, also known jokingly as MS07-052: Code execution leads to code execution.<\/p>\n<p>If you have gained sufficient trust with the victim that they will run any program you give them, then you don&#8217;t need the Xyz object in order to launch arbitrary command lines. You already have arbitrary code execution: That&#8217;s even better than command line execution! You don&#8217;t need to find an existing program that does whatever bad thing you want to do; you can just make your custom program do that bad thing directly.<\/p>\n<p>Tying up some loose ends: The command line passed to <code>IXyz::Execute<\/code> runs with the same privilege as the caller, so there is no elevation of privilege.<\/p>\n<p><b>Bonus chatter<\/b>: Not long afterward, we received the following security vulnerability report:<\/p>\n<blockquote class=\"q\"><p>Download and run the following script. It deletes all your files. If run as an administrator, it can delete operating system files.<\/p><\/blockquote>\n<p>That&#8217;s nice, but there is no security vulnerability yet. The script can delete only files that the user has permission to delete. In a way, you can say that the script &#8220;unlocks the user&#8217;s full file deletion potential&#8221;.<\/p>\n<p>If the point of the attack is that the user can be tricked into deleting all their files by running this suspicious script, well, that&#8217;s not particularly surprising. If you can trick a user into running a suspicious script, then you have effectively tricked them into granting you full access to their account, and it&#8217;s not surprising that you can delete all their files.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You already have code execution, so it&#8217;s not surprising that you can gain code execution.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-107635","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>You already have code execution, so it&#8217;s not surprising that you can gain code execution.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=107635"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107635\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=107635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=107635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=107635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}