{"id":107725,"date":"2023-01-18T07:00:00","date_gmt":"2023-01-18T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=107725"},"modified":"2023-01-18T06:56:40","modified_gmt":"2023-01-18T14:56:40","slug":"20230118-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20230118-00\/?p=107725","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Attacking a user by modifying that user&#8217;s files"},"content":{"rendered":"<p>A security vulnerability report arrived that went something like this:<\/p>\n<blockquote class=\"q\">\n<p>Windows is vulnerable to remote code execution as follows:<\/p>\n<ul>\n<li>Modify the file <code>%USERPROFILE%\\<wbr \/>AppData\\<wbr \/>Local\\<wbr \/>Contoso\\<wbr \/>BlahBlah<\/code> and add this line to the PlugIns section.<\/li>\n<li>Run the <code>contoso.exe<\/code> program.<\/li>\n<li>The <code>contoso.exe<\/code> program loads its configuration from the <code>BlahBlah<\/code> file.<\/li>\n<li>When the Contoso app starts, it tries to create a plug-in from the object you configured in PlugIns section, passing the initialization data you also specified in the PlugIns section.<\/li>\n<li>By crafting the initialization data, you can get the system-provided object to run a command controlled by the attacker.<\/li>\n<\/ul>\n<\/blockquote>\n<p>That&#8217;s all very interesting, but what is the vulnerability?<\/p>\n<p>They never said.<\/p>\n<p>The fact that the system-provided object can be induced into executing a command based on its initialization data is not surprising in this case: The initialization data for this particular system-provided object contains a serialized COM object, and deserializing it would naturally end up creating whatever you serialized.<\/p>\n<p>My guess is that the finder was excited that they could modify a file in a way that leads to code execution when a program is run. But let&#8217;s look at our usual questions.<\/p>\n<p>Who is the attacker?<\/p>\n<p>The attacker is presumably somebody who is able to modify the configuration file.<\/p>\n<p>Who is the victim?<\/p>\n<p>The victim is presumably the user whose configuration file got modified.<\/p>\n<p>What has the attacker gained?<\/p>\n<p>Actually, if you look back at the earlier two questions, you&#8217;ll see that the attacker and the victim are the same person!<\/p>\n<p>In order to modify a user&#8217;s files, you have to be that user or an administrator. In all cases, you haven&#8217;t gained any privileges beyond what you already had. If you&#8217;re the user, then you are attacking yourself. If you&#8217;re the administrator, well, it&#8217;s not interesting that the administrator can attack any user.<\/p>\n<p>If you already had the power to modify the user&#8217;s files, then you don&#8217;t need to go to all the work of editing an obscure configuration file for a program the user might not even run. Just drop a batch file in the user&#8217;s Startup folder.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You&#8217;re just attacking yourself.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-107725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>You&#8217;re just attacking yourself.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=107725"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107725\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=107725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=107725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=107725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}