{"id":11754,"date":"2020-04-24T11:08:17","date_gmt":"2020-04-24T18:08:17","guid":{"rendered":"https:\/\/www.zubairalexander.com\/stage\/?p=11754"},"modified":"2020-04-24T17:20:01","modified_gmt":"2020-04-25T00:20:01","slug":"how-microsoft-triages-the-dll-planting-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/how-microsoft-triages-the-dll-planting-vulnerabilities\/","title":{"rendered":"How Microsoft Triages the DLL Planting Vulnerabilities"},"content":{"rendered":"<p style=\"margin: 0in; font-family: Calibri; font-size: 12.0pt;\"><button id=\"listenButton1\" class=\"responsivevoice-button\" type=\"button\" value=\"Play\" title=\"ResponsiveVoice Tap to Start\/Stop Speech\"><span>&#128266; Listen to Post<\/span><\/button>\n        <script>\n            listenButton1.onclick = function(){\n                if(responsiveVoice.isPlaying()){\n                    responsiveVoice.cancel();\n                }else{\n                    responsiveVoice.speak(\"On April 21, 2020, the researchers at Cymulate, a SAS-based Breach and Attack Simulation (BAS) platform provider, announced that \\\"it has discovered a method for attackers to run malicious code via Microsoft\u2019s Remote Desktop Protocol (RDP) using a technique called DLL Side-Loading. The executed code would bypass security controls.\\\" Security Week covered this topic in an article titled Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC. All this sounds pretty alarming, but is it? As dramatic as it sounds, I am not so sure if I would characterize it as \\\"a new hidden malware defense evasion technique.\\\", which Cymulate is claiming. If this were such a serious issue, Microsoft would have been all over it. I am also not convinced that this \\\"lets attackers bypass the security controls.\\\" According to Security Week, \\\"The company told Security Week that, depending on the malicious code being executed, an attacker could potentially exploit the flaw to elevate privileges. For that they would need to convince a user to execute the mstsc.exe file from the attacker\u2019s folder with elevated privileges.\\\" In my opinion, if the attacker has that much control over the user, the attacker practically owns the user\\'s computer anyway. Microsoft\\'s response to this \\\"discovery\\\" is that this isn\\'t really a DLL side-loading vulnerability which requires a security patch. According to Cymulate\\'s announcement, \\\"Cymulate has notified Microsoft about the vulnerability who has declined to patch it as they state System32 requires admin privileges and is therefore not a perceived threat.\\\" Let me explain in more detail why Microsoft does not consider this as a serious security threat. Microsoft already has a process in place for addressing these types of DLL planting vulnerability issues, as explained below. Triaging DLL Planting Vulnerabilities Microsoft has publicly announced how it addresses the DLL planting vulnerabilities. The details are posted on Microsoft Security Response Center. Depending on where the the malicious DLL has been planted in the DLL search order, the vulnerability typically falls into one of the following categories: 1. Application Directory (App Dir) DLL planting. 2. Current Working Directory (CWD) DLL planting. 3. PATH Directories DLL planting. App Dir DLL Planting Microsoft will issue a security patch for any App Dir DLL planting issue, because Microsoft considers this to be a \\\"Defense-in-Depth issue.\\\" It\\'s interesting to note that in Windows 10 Microsoft added a new process mitigation called PreferSystem32, which toggles the order of application directory and system32 in the DLL search order. This blocks the ability to hijack a system binary (e.g. mstscax.dll) and planting it in the application directory. CWD DLL Planting Microsoft will also issue a security patch for a CWD DLL planting issue because it considers this as an \\\"Important security issue.\\\" In fact, if you look at the DLL plating issues fixed by Microsoft in the past, you will notice that most of them fall into this category. PATH Directories DLL Planting In addition to the App Dir and CWD, the PATH directories are the last resort in the DLL search order. These are added by different applications so the user can easily locate the applications and its DLLs. Microsoft has announced that it won\\'t address a DLL planting issue related to the PATH Directory because it\\'s not a vulnerability that can be exploited. The directories that are in the PATH environment variable in Windows are always protected by Access Control Lists (ACLs) associated with the Administrator account. In other words, standard users cannot modify the content of these directories. If for some reason, an attacker is able to write to a directory in the PATH environment variable as a non-administrator then that will be considered an \\\"Important security issue\\\" and Microsoft will issue a security patch for that. However, just the single instance of PATH Directories DLL planting is considered a \\\"Low security issue\\\" because an attacker can\\'t cross security boundaries. The bottom line: Microsoft\\'s argument is that because there can\\'t be a non-admin directory in the PATH, the PATH Directories DLL planting can\\'t be exploited. That\\'s why Microsoft doesn\\'t feel this to be a crucial security issue that needs an immediate attention and a security patch. It\\'s probably easier for an attacker to use social engineering\/phishing attack to gain administrative access to a user\\'s computer, rather than convincing a user to run the mstsc.exe file with administrative privilege from the attacker\\'s folder. Thanks for reading my article. If you are interested in IT consulting & training services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. Copyright \u00a9 2020 SeattlePro Enterprises, LLC. All rights reserved.\", \"US English Male\");\n                }\n            };\n        <\/script>\n    <\/p>\n<p>On April 21, 2020, the researchers at <a href=\"https:\/\/cymulate.com\/news\/cymulate-discovers-hidden-malware-mstsc\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cymulate<\/a>, a SAS-based Breach and Attack Simulation (BAS) platform provider, announced that &#8220;it has discovered a method for attackers to run malicious code via Microsoft\u2019s Remote Desktop Protocol (RDP) using a technique called DLL Side-Loading. The executed code would bypass security controls.&#8221; <em>Security Week<\/em> covered this topic in an article titled <a href=\"https:\/\/www.securityweek.com\/microsoft-will-not-patch-security-bypass-flaw-abusing-mstsc\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC<\/a>.<\/p>\n<p>All this sounds pretty alarming, but is it? As dramatic as it sounds, I am not so sure if I would characterize it as &#8220;a new hidden malware defense evasion technique.&#8221;, which Cymulate is claiming. If this were such a serious issue, Microsoft would have been all over it. I am also not convinced that this &#8220;lets attackers bypass the security controls.&#8221;<\/p>\n<p>According to <a href=\"https:\/\/www.securityweek.com\/microsoft-will-not-patch-security-bypass-flaw-abusing-mstsc\" target=\"_blank\" rel=\"noopener noreferrer\">Security Week<\/a>, &#8220;The company told <em>Security Week<\/em> that, depending on the malicious code being executed, an attacker could potentially exploit the flaw to elevate privileges. For that they would need to convince a user to execute the mstsc.exe file from the attacker\u2019s folder with elevated privileges.&#8221; In my opinion, if the attacker has that much control over the user, the attacker practically owns the user&#8217;s computer anyway.<\/p>\n<p>Microsoft&#8217;s response to this &#8220;discovery&#8221; is that this isn&#8217;t really a DLL side-loading vulnerability which requires a security patch. According to Cymulate&#8217;s announcement, &#8220;Cymulate has notified Microsoft about the vulnerability who has declined to patch it as they state System32 requires admin privileges and is therefore not a perceived threat.&#8221;<\/p>\n<p>Let me explain in more detail why Microsoft does not consider this as a serious security threat. Microsoft already has a process in place for addressing these types of DLL planting vulnerability issues, as explained below.<\/p>\n<h4><strong>Triaging DLL Planting Vulnerabilities<\/strong><\/h4>\n<p>Microsoft has publicly announced how it addresses the DLL planting vulnerabilities. The details are posted on <a href=\"https:\/\/msrc-blog.microsoft.com\/2018\/04\/04\/triaging-a-dll-planting-vulnerability\/)\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Security Response Center<\/a>. Depending on where the the malicious DLL has been planted in the DLL search order, the vulnerability typically falls into one of the following categories:<\/p>\n<p>1. Application Directory (App Dir) DLL planting.<br \/>\n2. Current Working Directory (CWD) DLL planting.<br \/>\n3. PATH Directories DLL planting.<\/p>\n<h4><strong>App Dir DLL Planting<\/strong><\/h4>\n<p><span style=\"background-color: #ffff99;\">Microsoft will issue a security patch for any App Dir DLL planting issue, because Microsoft considers this to be a &#8220;Defense-in-Depth issue.&#8221;<\/span> It&#8217;s interesting to note that in Windows 10 Microsoft added a new process mitigation called <strong>PreferSystem32<\/strong>, which toggles the order of application directory and system32 in the DLL search order. This blocks the ability to hijack a system binary (e.g. mstscax.dll) and planting it in the application directory.<\/p>\n<h4>CWD DLL Planting<\/h4>\n<p><span style=\"background-color: #ffff99;\">Microsoft will also issue a security patch for a CWD DLL planting issue because it considers this as an &#8220;Important security issue.&#8221;<\/span> In fact, if you look at the DLL plating issues fixed by Microsoft in the past, you will notice that most of them fall into this category.<\/p>\n<h4>PATH Directories DLL Planting<\/h4>\n<p>In addition to the App Dir and CWD, the PATH directories are the last resort in the DLL search order. These are added by different applications so the user can easily locate the applications and its DLLs. <span style=\"background-color: #ffff99;\">Microsoft has announced that it won&#8217;t address a DLL planting issue related to the PATH Directory because it&#8217;s not a vulnerability that can be exploited.<\/span><\/p>\n<p>The directories that are in the PATH environment variable in Windows are always protected by Access Control Lists (ACLs) associated with the Administrator account. In other words, standard users cannot modify the content of these directories. If for some reason, an attacker is able to write to a directory in the PATH environment variable as a non-administrator then that will be considered an &#8220;Important security issue&#8221; and Microsoft will issue a security patch for that. However, just the single instance of PATH Directories DLL planting is considered a &#8220;Low security issue&#8221; because an attacker can&#8217;t cross security boundaries.<\/p>\n<p>The bottom line: Microsoft&#8217;s argument is that because there can&#8217;t be a non-admin directory in the PATH, the PATH Directories DLL planting can&#8217;t be exploited. That&#8217;s why Microsoft doesn&#8217;t feel this to be a crucial security issue that needs an immediate attention and a security patch.<\/p>\n<p>It&#8217;s probably easier for an attacker to use social engineering\/phishing attack to gain administrative access to a user&#8217;s computer, rather than convincing a user to run the mstsc.exe file with administrative privilege from the attacker&#8217;s folder.<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #e3e3e3; text-align: left;\">Thanks for reading my article. If you are interested in IT consulting &amp; training services, please reach out to me. Visit <a href=\"https:\/\/www.zubairalexander.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZubairAlexander.com<\/a> for information on my professional background.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><span style=\"font-size: xx-small; font-family: Verdana;\">Copyright \u00a9 2020 <a href=\"https:\/\/www.seattlepro.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">SeattlePro Enterprises, LLC<\/a>. All rights reserved.<br \/>\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On April 21, 2020, the researchers at Cymulate, a SAS-based Breach and Attack Simulation (BAS) platform provider, announced that &#8220;it has discovered a method for attackers to run malicious code via Microsoft\u2019s Remote Desktop Protocol (RDP) using a technique called DLL Side-Loading. The executed code would bypass security controls.&#8221; Security Week covered this topic in [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":8601,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[43,83,33,24],"tags":[],"class_list":["post-11754","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-bugs","category-remote-desktop","category-security"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2017\/08\/Security2.jpg","_links":{"self":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/11754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/comments?post=11754"}],"version-history":[{"count":0,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/11754\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media\/8601"}],"wp:attachment":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media?parent=11754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/categories?post=11754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/tags?post=11754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}