June 15, 2017 Karn Ganeshen

Microsoft Machine Debug Manager (mdm) – Insecure Library Loading Allows Code Execution

Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability
ABOUT

The Machine Debug Manager, mdm.exe, is a program that provides support for program debugging.

Machine Debug Manager (mdm.exe) is known to be either installed standalone, or is part of / packaged with the following:

Products

Note: the list above is not exhaustive.

Product list above referenced from:

DETAILS

During the testing, it was found that MDM is affected with DLL hijacking vulnerability. The following conditions are required to exploit MDM DLL hijacking vulnerability:

Tested on Windows 7 SP1, when MDM is installed and enabled on the system, it was seen to be triggered via multiple Windows applications, as well as via Windows Administrative service console(s) (*.msc).

When mdm.exe is triggered, it looks for a specific DLL file – msdbgen.dll – in directories defined in the PATH env variable. It an attacker and / or a malicious user can place a specially crafted DLL file in any of these directories, then it is possible to execute arbitrary code with the privileges of target user. This can potentially result in the attacker achieving complete control of the affected system.

Exploitation could be performed via multiple Windows applications. A few scenarios are listed:

Exploitation environment:

 

Test Scenario 1 – Microsoft Windows built-in Administrative Service Consoles

This behavior can be exploited even if the target user (administrator / privileged user) does not run any software.

When the target user (administrator) opens certain Window built-in administrative tools, mdm.exe is triggered. Some of these *.msc, that resulted in loading our malicious dll and successfully executed code are:

In most cases, once the administrator opens up any of the above listed Windows management service consoles, our code is executed, and then the service consoles open up with a slight delay. No crashes, easy privilege escalation and continued persistence without raising flags, eh.


Test Scenario 2 – MS Office 2013 SP1 (MS Access)

a)

 

b)

 

Test Scenario 3 – MS Office 2013 SP1 (Excel/Access/Word/others)

 

Test Scenario 4.1 – MS HTML Help files (chm)


Test Scenario 4.2 – Product Help Manual Windows (chm)


+++++

In case you are able to test this out on a different Windows platform / version and find something different / new, or have any feedback, please drop in a comment. I will update this post accordingly.

Cheers~

Tagged: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *