Abusing Microsoft-signed executables

kao

This morning I noticed an article from Cylance named "Graftor Variant Leveraging Signed Microsoft Executable". It's a nice article, so I can really recommend you read it.

TL;DR version: Graftor authors are using DLL hijacking in SrcTool.exe to load their own dbghelp.dll. If antimalware solution trusts executable that's signed by Microsoft (most of them do!) and doesn't check all the DLLs it loads, malicious code will not be detected.

Other vulnerable files

I decided to look for other Microsoft-signed files that could be abused in a similar manner. One quick search for EXE files in folder C:\Program Files (x86)\Windows Kits that also contain string dbghelp.dll and here's the result:

  • agestore.exe
  • cdb.exe
  • dbh.exe
  • kd.exe
  • mftrace.exe
  • ntkd.exe
  • ntsd.exe
  • srctool.exe
  • symchk.exe*
  • symstore.exe
  • tlist.exe
  • tracefmt.exe
  • tracepdb.exe

*symchk.exe also requires SymbolCheck.dll.

All these files are statically linked to dbghelp.dll and therefore vulnerable to DLL hijacking. agestore.exe, mftrace.exe, srctool.exe, symstore.exe, tlist.exe, tracefmt.exe and tracepdb.exe are the best targets - if you don't pass any command-line to them, they load dbghelp.dll but don't call any of its APIs and therefore will not crash.

Demo time

Here's a small fake dbghelp.dll you can use for testing: https://www.mediafire.com/?yx677bhxtyc13pu

Place it in the folder with vulnerable EXE lies and run the EXE. If a "DLL Hijacking" messagebox shows up, the EXE is vulnerable. 🙂 Something like this:

Have fun and keep it safe!

“Unlimited storage” Microsoft-style

kao

What do you think - how large is "unlimited storage"? To me, word "unlimited" means, well, unlimited. "All you can eat". No restrictions.

For a year, Microsoft was offering unlimited storage with their Office 365 package:

Today, storage limits just became a thing of the past with Office 365. Moving forward, all Office 365 customers will get unlimited OneDrive storage at no additional cost. We’ve started rolling this out today to Office 365 Home, Personal, and University customers.

It was not a bad deal - for $6.99/month you could have both Office and unlimited storage.

Of course, some people decided to take Microsoft up on their offer and use that storage. After all, why not?

Fast forward one year. New post from Microsoft OneDrive team tells us this:

Since we started to roll out unlimited cloud storage to Office 365 consumer subscribers, a small number of users backed up numerous PCs and stored entire movie collections and DVR recordings. In some instances, this exceeded 75 TB per user or 14,000 times the average.

Good job guys! 🙂 If I had possibility to use unlimited storage, I'd use it as well!

But somehow Microsoft doesn't like it..

We’re no longer planning to offer unlimited storage to Office 365 Home, Personal, or University subscribers. Starting now, those subscriptions will include 1 TB of OneDrive storage.
...
Free OneDrive storage will decrease from 15 GB to 5 GB for all users, current and new.

So, now you know. "Unlimited" means "please, no more than 5 GB" in Microsoft-speak.