<html>

<!-- Seitennavigation Ende-->

<!-- Artikel -->

<p></p>
<h3>Flaws in SP2 security features</h3>
<p>Author: Jürgen Schmidt, <a href="http:www.heisec.de">heise Security</a><br>
Date: August 13,2004<br>
German Advisory: <a href="https://www.heise.de/security/artikel/50046">https://www.heise.de/security/artikel/50046</a></br>
English Version: <a href="https://www.heise.de/security/artikel/50051">https://www.heise.de/security/artikel/50051</a><br></p>
<h4>Overview</h4>
<p>With Service Pack 2, Microsoft introduces a new security
feature which warns users before executing files that
originate from an untrusted location (zone) such as the
Internet.</p>

<p>There are two flaws in the implementation of this
feature: a cmd issue and the caching of
ZoneIDs in Windows Explorer. The Windows command shell cmd ignores zone
information and starts executables without
warnings. Virus authors could use this to spread
viruses despite the new security features of SP2.
<cadv><table border="0" align="right" width="200" cellpadding="3">
 <tr>
  <td align="right"><!--OAS AD="Middle1"-->
<IMG SRC="https://www.heise.de/RealMedia/ads/adstream_lx.ads/www.heise.de/security/hintergrund/910791686/Middle1/he-test-contentads/zaehler.html/63306138316531633431323237643630?_RM_EMPTY_" WIDTH="1" HEIGHT="1"></td>
 </tr>
</table></cadv>
</p>

<p>Windows Explorer does not update zone information
properly when files are overwritten. So it can be
tricked to execute files from the internet without
warning.</p>
<h4>Background</h4>
<p>Internet Explorer and Outlook Express mark files that
are downloaded from the internet or saved from an
e-mail with a Zone Identifier (ZoneID), which reflects
the security zone from which it originates. The ZoneIDs
correspond to the Internet
Explorer security zones. This information is saved in an Additional
Data Stream (ADS) of the file. ADS are a feature of
the NTFS filesystem. ADS with ZoneIDs are named Zone.Identifier and
can be viewed and modified with Notepad by opening
"<file>:Zone.Identifier".</p>

<p>When a user tries to execute a file downloaded
from the internet and therefore has been given ZoneID=3 at a later point, 
he is prompted with a warning. The ADS is
persistent even if the file is moved, as long as it
stays on NTFS drives. Windows built-in ZIP utilities
honor ZoneIDs and for example do not extract executable
files from archives with a ZoneID greater than or equal to 3.</p>
<h4>1. The cmd Issue</h4>
<p><strong>Description</strong></p>

<p>The command shell cmd.exe ignores the ZoneID of files. The command
<pre>
cmd /c evil.exe
</pre>
executes the file evil.exe without warning,
regardless of its ZoneID. Even worse: If an executable
file is saved as evil.gif, the command
<pre>
cmd /c evil.gif 
</pre>
will launch the programm without any warning despite its
ZoneID being 3. This is true for any file
extension. The execution of files through cmd regardless of its
extension is not new in SP2. It works with every
version of Windows XP.</p>

<p>Note: By default users are not allowed to save
"dangerous" files (i.e. files with extensions like
.exe) in Outlook Express. But they can save executables
with other file extensions such as .gif. Explorer and Outlook
Express display them as image. Opening (i.e. double
clicking) those files in Explorer results in the launch of
the registered file handler, in this
case the image viewer.</p>

<p><strong>Attack vector</strong></p>

<p>Exploitation of this issue reqeuires some user interaction
-- at least as long as nobody comes up with a way to
execute cmd.exe with parameters from within Outlook
Express or Internet Explorer. But viruses doing "social
engeneering" are a common place by now. Bagle & Co
asked users to enter a password to decode encrypted
attachments. Therefore a virus author could create an e-mail
worm like this:
<pre>
Attached: access.gif
</pre>
<pre>
Hello,
</pre>
<pre>
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&drop the file into the new window and hit
return. cmd will descramble the file for you.  
</pre>
If the user follows these instructions, the attached file
is executed without any warning.</p>

<p>This might even deceive some of the more experienced
users, because they do not expect files with extensions
like "gif" to carry executable content and to be
executed in such a simple manner. </p>

<p>Additionally this method will evade some antivirus software,
which only scans/blocks files with extensions which it knows to 
be potentially dangerous.</p>

<p></p>
<h4>2. Windows Explorer caching of ZoneIDs</h4>
<p><strong>Description</strong></p>

<p>Windows Explorer caches the result of ZoneID
lookups. If a file is overwritten, Explorer does not
properly update this cached information to reflect the
new ZoneID. This allows spoofing of trusted or
non-existant ZoneIDs by overwriting files with trusted
or non-existent ZoneIDs.</p>

<p>The following steps illustrate the problem.</p>

<p><ol>
<li> Copy notepad to a new file.
<pre>
> copy c:\windows\notepad.exe test.exe
</pre>
You may also use Explorer to copy the file.</li></p>

<p><li>Open test.exe in Explorer: no warning.</li></p>

<p><li>evil.exe is a file saved from an e-mail attachment
and has ZoneID=3.<br> 
Check with your editor by opening
"evil.exe:Zone.Identifier". It displays: ZoneID=3<br>
Open evil.exe in Explorer: you will be warned.
</li></p>

<p><li>Overwrite the copy of notepad.exe:
<pre>
> copy evil.exe test.exe
</pre>
test.exe:Zone.Identifier displays:
ZoneID=3
</li></p>

<p><li>Open test.exe in Explorer: no warning!</p>

<p><strong>test.exe is launched without warning despite of its
ZoneID=3.</strong> In the file properties, Explorer shows the
correct notice about its origin, but for opening the
file the old ZoneID-status is used.
</li></p>

<p><li>Doublecheck: Kill the Explorer task, restart it
and launch test.exe: you will be warned.</li>
</ol></p>

<p><strong>Attack vector</strong></p>

<p>Exploiting this issue requires the ability to overwrite
existing files which have a trusted or non-existant ZoneID.
Right now there is no known way to achieve this in an
attack mounted from the Internet. </p>
<h4>Vendor status</h4>
<p>heise Security has notified Microsoft about both issues on August 12. 
Microsoft Security Response Center responded:</p>

<p><I>
"We have investigated your report, as we do with all
reports, however in this case, we don't see these
issues as being in conflict with the design goals of
the new protections. We are always seeking improvements
to our security protections and this discussion will
certainly provide additional input into future security
features and improvements, but at this time we do not
see these as issues that we would develop patches or
workarounds to address."
</I></p>

<p>You find some personal thoughts about this response in the
latest comment on heise Security: <a href="https://www.heise.de/security/artikel/50054">Microsoft: A matter of trust</a>
</p>