Who can not be accused of being stingy on all sorts of errors and vulnerabilities is Microsoft. You don't have to look far for an example - just look at Windows 10, which is simply drowning in bugs. Do not blame the developers: they "diligently" release patches that fix bugs. But statistics are an unbiased thing. According to BeyondTrust's " Annual Microsoft Vulnerability Report ", 1268 vulnerabilities were discovered in 2020, of which 132 were critical. In this article, we take a look at the strangest and dumbest vulnerabilities found in Microsoft products.
Microsoft Teams and .GIF files
In April 2020, CyberArk published an article on a vulnerability in Microsoft Teams that could allow attackers to access a victim's account using just a .GIF image.
The essence of the vulnerability is as follows: to ensure that the user receives the image intended for him, Microsoft Teams uses two tokens for authentication: authtoken and skypetoken. Authtoken allows you to upload images on Teams and Skype domains and then generates a skypetoken. Skypetoken is used to authenticate against the server, handling client actions such as reading and sending messages.
However, authtoken can only be used on teams.microsoft.com subdomains, so the attackers had to hijack the corresponding subdomains. This vulnerability is somewhat similar to phishing links, only in the case of a GIF image, the user did not need to click on the link, but only to see the "gif", after which the attacker received the necessary tokens.
Authtoken cookies An
attacker, having both tokens, could use the API to connect to a user account and gain full control over it. This gave access to confidential information, and more importantly, access to certain social connections. The compromised GIF could be sent further through the organization using the trust of the employees. It was possible to request a password change from the information security department and gain access to other important resources. It was possible to request important information from managers, and by capturing the manager's account, it was possible to give certain instructions to subordinates. In general, a breach of one account in an organization could result in financial damage and data leaks for the entire organization. The situation was compounded by the coronavirus, which forced many companies to switch to remote operation.
When "password" isn't so bad
In Windows systems of the 9x family, it became possible to create a server on a computer to exchange and host files. Another computer could connect to the system, knowing where to connect and the password. It was in the password check that the vulnerability of this system was hidden. The technical details are not known exactly and two versions can be found on the Internet. The first reads as follows: when processing authentication requests, the system, instead of checking the identity of the received password and the real one, compared the number of bytes in the passwords. An attacker could simply guess the length of the password and gain access to the server. And the second states that to access the server it was enough to send a single-byte character as a password, which corresponds to the first character of the password.
File and Print Sharing service
Vulnerability in Paint 3D
Let's move on to a relatively recent vulnerability. While Microsoft is preparing the next version of Windows, cybersecurity experts participating in Trend Micro's Zero Day Initiative (ZDI) have discovered a vulnerability in one of the preinstalled programs in Windows 10.
First introduced as part of the 2016 Microsoft Creators Update, Paint 3D was intended to replace the classic Paint that has been shipping since Windows 1.0. The idea was that users would benefit from 3D modeling support and ditch the usual Paint. However, Paint 3D did not find much demand, and both programs came with Windows 10 in parallel. According to some reports, Paint 3D will be abandoned in Windows 11 - it looks like the three-dimensional brother of the old Paint will quietly go to the cemetery where the Zune, Band and Media Center are buried.
Paint 3D interface for those who have never started it
Now about the security hole itself. The vulnerability, designated CVE-2021-31946 , allows an attacker to execute arbitrary code on a user's computer when visiting a malicious page or opening a malicious file. The attacker's task is to force the victim to open a special file. The attack must be accompanied by an escalation of privileges in order to take control of the target system. The vulnerability itself is caused by an error in the parsing of STL files (a format for storing three-dimensional models of objects) when they are opened in Paint 3D. The problem arises from a lack of reliable validation of user-supplied data, which can result in reading outside of the allocated data structure. This can be used to execute code in the context of the current process with low integrity.
As the ZDI team itself noted, there is currently no information on the use of the discovered vulnerability in real cyber attacks. This is not surprising considering how popular Paint 3D is among users.
Bill Gates, stop making money. Fix your software !!
DCOM RPC interface is a common component of Windows NT-based operating systems, including NT, 2000, XP and Server 2003. On July 16, 2003, a buffer overflow vulnerability was found in it, which was caused by a properly composed TCP / IP packet that resulted in port 135 , 139 or 445. Microsoft released patch MS03-026, and in the patch summary they described an exploit that became a kind of red rag for crackers.
On August 11, 2003, the Blaster worm appeared , which rapidly infected about 300 thousand computers around the world. Unfortunately, protecting home systems with firewalls was not common practice at the time. Computers connected directly to the Internet could easily become a victim of the worm: after entering the system, it scanned available networks for computers with an open 135th port and, if found, launched an attack, repeating the cycle. The worm's code caused the RPC service of the infected computer to crash, the computer displayed an imminent shutdown warning message and rebooted unceremoniously.
The same message
An interesting point: the worm's code contained an appeal to Microsoft founder Bill Gates personally. The message read, “Billy Gates, why did you make this possible? Stop making money and fix your software !! " Microsoft "listened" and in late summer released a second set of updates, MS03-039, which blocked additional ports used to interfere with the RPC service.
Message to Bill Gates in worm code
Full control over the server with a single URL
The vulnerability with the designation CVE-2000-0884 appeared in 2000. With this error, an attacker could gain complete control of the web server simply by knowing the structure of the Microsoft file system.
Anyone who has used a Windows computer at least once will tell you that dealing with a hard drive is easy. Documents fall into one folder; most applications are placed in another; etc.
By using periods and backslashes (or their corresponding Unicode representations) in the URL, this bug allowed you to navigate up and down the file system and execute various commands. And even though the account rights for IISrestricted, the exploit could elevate privileges, giving remote users the ability to do whatever they want with Windows servers by simply submitting multiple URLs. Information about the vulnerability first appeared on the PacketStorm forum. As a result, the anonymous post grew into nearly two years of massive ownership of Windows web servers. Ultimately, directory traversal opened up a new world for automated attacks that invoke a specific URL to do their dirty work.
Tell us about your “favorite” MS vulnerabilities in the comments?
VPS / VDS-server with fast NVM-drives and daily payment. Upload your ISO.
