#1204 NSIS setup load ntmarta.dll from same directory (dll hijacking) on Windows 7

[Torben Bäcker]

Hi all,

installers compiled with NSIS 3.02 to 3.03 load the ntmarta.dll from the exe directory which might lead to a vulnerability if an attacker can make a user download a compromised ntmarta.dll.
This is reproducible on Windows 7 with or without SP1 and 32 or 64 Bit. But it requires the system to be rebooted. On a fresh installation the dll is not loaded but after some reboots it will be loaded.
I've attached a gif to show that it loads a dll that opens a cmd window.

Here's the code of the simple installer I used:

# set the name of the installer
Outfile "simple-3.03.exe"

# create a default section.
Section

# create a popup box, with an OK button and the text "Hello world!"
DetailPrint "Just a simple installer"

SectionEnd

I fixed this by adding ntmarta.dll to the Source\exehead\Main.c preloads:
"NTMARTA\0" // Win7 with and without SP1
I added it in line 126.

After compiling with SKIPPLUGINS=all SKIPUTILS=all SKIPMISC=all NSIS_CONFIG_CONST_DATA_PATH=no and exchanging makensis.exe and the stubs the simple installer doesn't load the dll anymore.

If you need any more information please let me know.

Regards,
Torben

[Torben Bäcker]

Looks like the animations were removed during uploading. Here's a screenshot of the running installer.

[Anders]

I could not reproduce this. I used 32-bit Windows 7 SP0 (6.1.7600) and a simple do nothing installer.

I rebooted twice (restart from the start menu) and on the third boot running the test installer does not show ntmarta.dll in Process Explorer (not in the application directory nor system32). System::Call 'kernel32::GetModuleHandle(t"ntmarta")p.r0' in the installer is also 0.

Does your machine have any kind of anti-virus or other security/tweaking software installed? Does it happen in SP0/RTM for you or just service packs?

[Torben Bäcker]

There's no additional software installed besides the VMWare tools. No Windows updates at all, it also occurs on a fresh installed Win 7 32-bit (same build as yours). Please see the attached screenshot.

[Anders]

I tested on real hardware with no internet connection.

Does it always happen after the first reboot or can it require more than one reboot before it triggers?

Do you have the skills to set a breakpoint in WinDbg so we can get a call stack to find out who is loading it?

[Torben Bäcker]

I haven't done it yet but maybe you can give me a hint? I already installed windbg (just the debugger from the Windows 7 SDK), here's the output of running the simple installer:

CommandLine: C:\Users\torben\Downloads\simple-3.03.exe
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00400000 00439000   image00400000
ModLoad: 77340000 7747c000   ntdll.dll
ModLoad: 760c0000 76194000   C:\Windows\system32\kernel32.dll
ModLoad: 75510000 7555a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 76480000 76549000   C:\Windows\system32\USER32.dll
ModLoad: 75da0000 75dee000   C:\Windows\system32\GDI32.dll
ModLoad: 75a40000 75a4a000   C:\Windows\system32\LPK.dll
ModLoad: 75790000 7582d000   C:\Windows\system32\USP10.dll
ModLoad: 761a0000 7624c000   C:\Windows\system32\msvcrt.dll
ModLoad: 76590000 771d9000   C:\Windows\system32\SHELL32.dll
ModLoad: 774c0000 77517000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 76020000 760c0000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 75c80000 75c99000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 75830000 758d1000   C:\Windows\system32\RPCRT4.dll
ModLoad: 755b0000 75634000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16385_none_ebf82fc36c758ad5\COMCTL32.dll
ModLoad: 758e0000 75a3c000   C:\Windows\system32\ole32.dll
(9b0.f3c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0012fb0c edx=773864f4 esi=fffffffe edi=00000000
eip=773de60e esp=0012fb28 ebp=0012fb54 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
ntdll!LdrVerifyImageMatchesChecksum+0x633:
773de60e cc              int     3
0:000> g
ModLoad: 77490000 774af000   C:\Windows\system32\IMM32.DLL
ModLoad: 771e0000 772ac000   C:\Windows\system32\MSCTF.dll
ModLoad: 74150000 74190000   C:\Windows\system32\UXTHEME.dll
ModLoad: 74af0000 74b07000   C:\Windows\system32\USERENV.dll
ModLoad: 75490000 7549b000   C:\Windows\system32\profapi.dll
ModLoad: 76250000 763ed000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75760000 75787000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 763f0000 7647f000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 75560000 75572000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 75390000 753db000   C:\Windows\system32\APPHELP.dll
ModLoad: 74190000 74285000   C:\Windows\system32\PROPSYS.dll
ModLoad: 73e20000 73e33000   C:\Windows\system32\DWMAPI.dll
ModLoad: 753e0000 753ec000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 6f4d0000 6f50c000   C:\Windows\system32\OLEACC.dll
ModLoad: 772b0000 77333000   C:\Windows\system32\CLBCATQ.dll
ModLoad: 74840000 74849000   C:\Windows\system32\VERSION.dll
ModLoad: 749e0000 749e5000   C:\Windows\system32\SHFOLDER.dll
ModLoad: 742d0000 7446e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
ModLoad: 728a0000 728bc000   C:\Users\torben\Downloads\ntmarta.dll
ModLoad: 73980000 7399c000   C:\Users\torben\Downloads\ntmarta.dll
ModLoad: 721b0000 72226000   C:\Windows\system32\RichEd20.dll
eax=000000c0 ebx=0000ffff ecx=00647fe8 edx=00001000 esi=00000002 edi=006344d8
eip=773864f4 esp=01aafe28 ebp=01aaff88 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
773864f4 c3              ret

[Anders]

First fix your symbols https://stackoverflow.com/questions/30019889/how-to-set-up-symbols-in-windbg

I was able to reproduce it now, not sure how many times I rebooted or why that matters in the first place.

SetErrorMode is the first function NSIS calls so it is a nice thing to put a breakpoint on to speed things up. Then I did bp kernelbase!LoadLibraryExW and then just kcn;g until the module in question is loaded. The culprit is ADVAPI32!AccProvpLoadMartaFunctions called by SetEntriesInAcl and that is called deep down in a codepath related to shell pidls and known folders and the top level problematic function is SHGetFileInfo. There is 25 shell functions between us and the issue in the call stack and it should be fixed if you allow Windows Update to update the system (because we restrict loading to system32 only on patched systems) but I guess we need to add this module to the pre-load workaround list as well. Thank you for reporting.

[Torben Bäcker]

You refer to KB2533623, right? I know that updating will help but I wanted to let you know. You never know on which systems the installers are executed. Thank you for taking care of it!

[Anders]

Here is the full callstack from a tool I made:

PC: 00400000 \Device\HarddiskVolume1\Users\Anders\Downloads\test.exe
...
ML: 732F0000 C:\Users\Anders\Downloads\ntmarta.dll
 #01 774e64f4 NTDLL!KiFastSystemCallRet
 #02 774e507c NTDLL!NtMapViewOfSection+0xc
 #03 77500fad NTDLL!LdrpMapViewOfSection+0xc7
 #04 77501023 NTDLL!LdrpFindOrMapDll+0x303
 #05 774ff4a6 NTDLL!LdrpLoadDll+0x2b2
 #06 774ff5f9 NTDLL!LdrLoadDll+0x92
 #07 7578b8a4 KERNELBASE!LoadLibraryExW+0x15a
 #08 764828c3 KERNEL32!LoadLibraryW+0x11
 #09 75c233c3 ADVAPI32!AccProvpLoadMartaFunctions+0x68
 #10 75c23518 ADVAPI32!SetEntriesInAclW+0xa
 #11 74282803 PROPSYS!CSecurityAttributesForSharedObjects::Initialize+0x7e
 #12 7425a240 PROPSYS!CreateMapping+0x97
 #13 7425a3e2 PROPSYS!CVersionManager::_EnsureVersionMapping+0x2bc
 #14 74245216 PROPSYS!CVersionManager::GetNewestVersion+0x1d
 #15 7424e5d9 PROPSYS!CMemoryMappedCache::Initialize+0x58
 #16 7424e546 PROPSYS!CMemoryMappedCacheMgr::Open+0x49
 #17 7686298c SHELL32!CPrivateProfileCache::_LoadSharedMemCache+0x62
 #18 768c4793 SHELL32!CPrivateProfileCache::_RetrieveINIFile+0x64
 #19 768f4df6 SHELL32!CPrivateProfile::Initialize+0x10f
 #20 768c4720 SHELL32!SHGetCachedPrivateProfile+0x3a
 #21 768c93e7 SHELL32!CFSFolder::_DiscoverLocalizedName+0x91
 #22 768c002a SHELL32!CFSFolder::_CreateIDList+0xbf
 #23 768c04d7 SHELL32!CFSFolder::_CreateIDListWithBindCtx+0x9f
 #24 768c6ae9 SHELL32!CFSFolder::_CreateIDListFromName+0x6c
 #25 768bfbf6 SHELL32!CFSFolder::ParseDisplayName+0x17a
 #26 768c465d SHELL32!CDrivesFolder::ParseDisplayName+0x153
 #27 768c18cd SHELL32!CRegFolder::ParseDisplayName+0x93
 #28 768c4504 SHELL32!CDesktopFolder::_ChildParseDisplayName+0x47
 #29 768c19cd SHELL32!CDesktopFolder::ParseDisplayName+0x112
 #30 768c18cd SHELL32!CRegFolder::ParseDisplayName+0x93
 #31 768c1af7 SHELL32!SHParseDisplayName+0xa8
 #32 769f09d5 SHELL32!SHGetFileInfoW+0x163
 #33 004034d6 TEST!+0x34d6
 #34 774fb3f5 NTDLL!__RtlUserThreadStart+0x70
 #35 774fb3c8 NTDLL!_RtlUserThreadStart+0x1b

Not really sure why the shell feels it needs to change the ACL on a folder or how it detects that the ACL is somehow bad.

[Torben Bäcker]

And it needed more than one reboot, two or three maybe.