Flaws in SP2 security features

Jürgen Schmidt - 16.08.2004

Author: Jürgen Schmidt, heise Security
Date: August 13,2004
German Advisory: http://www.heise.de/security/artikel/50046
English Version: http://www.heise.de/security/artikel/50051

Overview

With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet.

There are two flaws in the implementation of this feature: a cmd issue and the caching of ZoneIDs in Windows Explorer. The Windows command shell cmd ignores zone information and starts executables without warnings. Virus authors could use this to spread viruses despite the new security features of SP2.

Windows Explorer does not update zone information properly when files are overwritten. So it can be tricked to execute files from the internet without warning.

Background

Internet Explorer and Outlook Express mark files that are downloaded from the internet or saved from an e-mail with a Zone Identifier (ZoneID), which reflects the security zone from which it originates. The ZoneIDs correspond to the Internet Explorer security zones. This information is saved in an Additional Data Stream (ADS) of the file. ADS are a feature of the NTFS filesystem. ADS with ZoneIDs are named Zone.Identifier and can be viewed and modified with Notepad by opening ":Zone.Identifier".

When a user tries to execute a file downloaded from the internet and therefore has been given ZoneID=3 at a later point, he is prompted with a warning. The ADS is persistent even if the file is moved, as long as it stays on NTFS drives. Windows built-in ZIP utilities honor ZoneIDs and for example do not extract executable files from archives with a ZoneID greater than or equal to 3.

1. The cmd Issue

Description

The command shell cmd.exe ignores the ZoneID of files. The command

cmd /c evil.exe

executes the file evil.exe without warning, regardless of its ZoneID. Even worse: If an executable file is saved as evil.gif, the command

cmd /c evil.gif 

will launch the programm without any warning despite its ZoneID being 3. This is true for any file extension. The execution of files through cmd regardless of its extension is not new in SP2. It works with every version of Windows XP.

Note: By default users are not allowed to save "dangerous" files (i.e. files with extensions like .exe) in Outlook Express. But they can save executables with other file extensions such as .gif. Explorer and Outlook Express display them as image. Opening (i.e. double clicking) those files in Explorer results in the launch of the registered file handler, in this case the image viewer.

Attack vector

Exploitation of this issue reqeuires some user interaction -- at least as long as nobody comes up with a way to execute cmd.exe with parameters from within Outlook Express or Internet Explorer. But viruses doing "social engeneering" are a common place by now. Bagle & Co asked users to enter a password to decode encrypted attachments. Therefore a virus author could create an e-mail worm like this:

Attached: access.gif

Hello,

attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&drop the file into the new window and hit
return. cmd will descramble the file for you. 

If the user follows these instructions, the attached file is executed without any warning.

This might even deceive some of the more experienced users, because they do not expect files with extensions like "gif" to carry executable content and to be executed in such a simple manner.

Additionally this method will evade some antivirus software, which only scans/blocks files with extensions which it knows to be potentially dangerous.