Ready-made Microsoft Windows zero-day?

A design issue could allow organizations with access to powerful computers to launch an attack against MD5 to escalate rights on fully patched computers running Windows 7 or Windows Server 2008.
Written by Ryan Naraine, Contributor on

Microsoft's use of the MD5 cryptographic hash function during the Windows software installation process may present a ready-made zero-day vulnerability for intelligence agencies and governments without enough computing power.

That's the warning from Cesar Cerrudo, a well-known Argentinian security researcher who has a history of finding and reporting serious Windows security vulnerabilities.

Cerrudo, who currently serves as CTO of IOActive Labs, says organizations with access to powerful computers can launch an attack against MD5 to escalate rights on fully patched computers running Windows 7 or Windows Server 2008.

In a post titled "A free Windows Vulnerability for the NSA," Cerrudo explains that installer files from already installed applications will automatically elevate privileges when any user executes them.  Because these applications are already installed, this isn't really a security problem.

[ SEE: One-year-old (unpatched) Windows 'token kidnapping' under attack ]

However, Cerrudo found that that when an installer is run, a temporary file is created in the temporary folder for the current user.

This file is a COM DLL from Microsoft Help Data Services Module which is later loaded by msiexec.exe process running under the System account that is launched by the Windows installer service during the installation process.

When the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.

Analysis reveals that the issue is not easily exploitable since the msiexec.exe process generates an MD5 hash of the DLL file and compares it with a known-good MD5 hash value that is read from a file located in C:\Windows\Installer\, which is only readable and writable by System and Administrators accounts.

In order to exploit this issue, an attacker needs to replace the DLL file with a modified DLL file that contains exploit code that can match the valid MD5 hash. The attacker DLL will then be run under the System account, allowing privilege elevation and operating system compromise. The problem is that this is not a simple attack—it’s an attack to the MD5 hashing algorithm referred to as a second-preimage attack for which there are no practical attacks that I know of, so it’s impossible for a regular attacker to generate a file with the same MD5 hash as the existing DLL file.

Cerrudo postulates that intelligence agencies, which are known for their cracking technologies and computing power, probably could perform this attack and build a local elevation of privilege zero-day exploit for Windows.

The researcher says it's particularly strange that Microsoft uses MD5 since that hash functionhas been banned by the company's SDL (Secure Development Lifecycle), a mandatory software creation process used at Microsoft to reduce the number of security-related design and coding defects

The SDL has banned the use of MD5 since 2005 and Cerrudo guesses there must have been an oversight or these components have been built without following SDL guidance.

"Who knows on what other functionality MD5 continues to be used by Microsoft, allowing abuse by intelligence agencies," he adds.

Editorial standards