Adobe Reader X start-up issue with PGP Desktop

In this post I am providing a solution to a problem some of our users had encountered. When users were starting up Adobe Reader X an exception was triggered in process AcroRd32.exe. Observing the crash details the memory addresses was always the same and module was always pgphk.dll. Taking a look at the properties of this library told me that it comes shipped with the PGP Desktop software.

After some investigative work I figured out what was actually happening:

1. PGPTray.exe executable gets loaded from the start-up.
2. This process loads up the library PGPhk.dll in PGPTray.exe process space.
3. Thereafter any new process opened the library PGPhk.dll gets injected in its process space.

So say if you load up Windows Calculator you’ll see PGPhk.dll in calc.exe. Due to this injection happening in AcroRd32.exe process it causes Adobe Reader to crash as by default Adobe Reader X runs in protected mode. Why PGP software does this injection in every process that I can’t say but is the cause of the problem.

Now there are a couple of ways around this:

1. Just don’t load PGPTray.exe executable and thus won’t load PGPhk.dll
2. Disable Adobe Reader in “Protected Mode” but I strongly advise not to do so, this shouldn’t be seen as a solution but only if there is no other options.
3. Upgrade to the latest version of PGP Desktop 10.1 which fixes the issue. This is the best action to take as you will be also fixing any previous vulnerabilities in its product. The version I had problems with was 9.5.3.
4. Create a whitelist excluding PGPhk memory section from Adobe Readers protected mode. The way to add this to the exclusion is to take the steps below.
 
  i.   Add a registry entry enabling the use of whitelisting:
        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown]
       “bUseWhitelistConfigFile”=dword:00000001
  ii.  Create a whitelist file called “ProtectedModeWhitelistConfig.txt” and place it
       in the Adobe Reader executable path i.e. C:\Program Files\Adobe\Reader 10.0\Reader
  iii. The ProtectedModeWhitelistConfig.txt file will need to contain the string
       SECTION_ALLOW_ANY = *PGPhk*

Check out Adobe’s Application Security Guide document which is a very good document worth reading. Another point to mention is that if you try to rename PGPhk.dll library then PGP Desktop will only try to re-install it again. Another way to test is to close the handle PGPhkSharedMemory before starting up Adobe Reader and you’ll find that Adobe Reader loads up fine.

When you enable Adobe Readers “Create Protected Mode log file” and view the log file AdbeReaderBroker.log you will see something like this below. This is if the exclusion is not added to the whitelist giving you information you need to add future exclusions in the whitelist.

[03:11/09:08:06] Adobe Reader Protected Mode Logging Initiated
[03:11/09:08:08] NtCreateSection: STATUS_ACCESS_DENIED
[03:11/09:08:08] real_path: \BaseNamedObjects\PGPhkSharedMemory
[03:11/09:08:08] Consider modifying policy using this policy rule: SECTION_ALLOW_ANY

References:

http://forums.adobe.com/thread/755098
http://learn.adobe.com/wiki/display/security/Application+Security+Library

Unable to delete folder with trailing space

There are a number of possibilities as to why folders cannot be deleted but this one I came across recently got my attention. While decompressing a zip file it created its extracted folder but when I came to remove the folder it came up with the error “Cannot delete file: Cannot read from the source file or disk”. After investigating I realised that it had a trailing space at the end of the folder. Now I knew what was causing the removal to fail but how to get rid of it?

Well there are a few ways on how to remove folders with trailing spaces:

1. Using the “\\?\” syntax
2. Using 8.3 short filename format (if folder is more than 8 characters)

Below is an example code which creates a folder called “testfolder” in C:\TEMP with a trailing space. Note that after the space \\ is required for it to create the space after the folder. Once compiled and run it will create the testfolder, pause for 5 seconds and then remove it. The trailing space can be more than just one space character.

#include <stdio.h>
#include <windows.h>

int main()
{
    CreateDirectory(“C:\\TEMP\\testfolder \\”, NULL);
    Sleep(5000);
    RemoveDirectory(“C:\\TEMP\\testfolder \\”);
    return 0;
}

Examples on how to delete trailing space folders from the console.

C:\>rd c:\temp\testfo~1
C:\>rd “\\?\c:\temp\testfolder ”

Reference:

http://support.microsoft.com/kb/320081

Symantec Quarantine Console fails to connect remotely

Last month I encountered an issue trying to remotely connect to Symantec’s Quarantine Server from a client machine after installing Symantec’s Quarantine Console. I was a bit baffled as to why this didnt work. Previously an older version did which I had used some time back and this current version 3.5 did not. I noticed that there was no issue when installed and run from the quarantine server itself.

Reading the following responses from Symantec mentioned in the references below was not helpful at all so I thought I’d tackle the problem myself. When trying to authenticate remotely to the Quarantine server it throws back this error:

“Cannot connect to server [name].  Make sure the Quarantine Server is installed on the specified machine, and that the user information is correct.” 

After investigating the issue I discovered that the DLL file qserverps.dll had not been registered. This file is located in the default console folder C:\Program Files\Symantec\Quarantine\Console

The solution is to just register the file as shown below:

C:\Program Files\Symantec\Quarantine\Console>regsvr32 qserverps.dll

This DLL file qserverps.dll is also used by the Quarantine server in its own folder which does get registered. This explains why the console works when run on the server as it uses the same file.

References:

http://www.symantec.com/connect/forums/central-quarantine-serverconsole-issue
http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2003111015491948?Open&dtype=corp&src=&seg=&om=1&om_out=prod

Windows Vista Backdoor Logon

Windows Vista’s backdoor method works by exploiting the “Ease of Access” button at the bottom left of the Windows Vista Logon screen. Normally when the icon is clicked we get a choice of options such as Narrator, Magnifier, etc.

The way to exploit this is by replacing any one of the files with your own executable and calling it the same name. Say if magnify.exe was replaced with cmd.exe then selecting the magnify option would bring up the console window.

Obviously in order to replace such windows files you will first need to logon to the system with admin rights, take ownership of the file and then replace the file with with one of your own.

If you ever forgot your local logon password you could use this backdoor method and reset the password or connect to a remote share and copy your files over.

The choices of files you can modify to get the backdoor working are:
magnify.exe, narrator.exe, osk.exe or utilman.exe

The utilman.exe is the main executable that brings up the Ease of Access window which references the rest of the executables.

If you wanted to capture someone’s logon credentials, normally even with local admin rights to the box, majority key logging tools do not intercept keystrokes at the ctrl+alt+del stage whether the tool has been loaded up at boot as a service or as a program.

This backdoor method works a treat in an office environment for capturing  passwords.

1. Remotely connect to a desktop machine
2. Replace a file say utilman.exe with your key logger
3. Walk upto the desk and click on the “ease of access” button

Now just wait for the user to logon to capture the credentials :). Once logged in the key logger terminates.

The Windows function GetAsyncKeyState() is all it takes to design a key logger and is the easiest option.

One solution to mitigate the risk would be to make sure the utilman.exe executable does not get replaced or executed. Various products on the market will be able to lock it down.

Reference:

http://www.computerperformance.co.uk/vista/vista_backdoor_logon.htm