Sublime Intervention
Background
I don’t know about the rest of you, but I’m a big fan of Sublime Text 3. Fellow users will know that every now and then when you launch Sublime Text you will probably see a popup that looks like this.
For whatever reason, I finally felt like taking a look to see how this process actually works!
Teardown Time
First thing noticed during the update process is a UAC prompt. If you click on more details you should see something similar to below.
We can actually learn a lot of the update proccess just from this UAC screen. It looks like the last argument is the path to the downloaded update package. We can see it looks like it fetches and stores the standard Sublime Text install package at C:\Users\$USER\AppData\Local\Sublime Text 3\Update
From that same UAC prompt we can infer that the destion of the install program will be C:\Program Files\Sublime Text 3, which is the default install location of Sublime Text 3. So it looks like this Sublime Text Update Installer.exe is responsible for copying the contents of the newly downloaded package and moving them into the users install location. The next question is can we put any files we want in this Update folder ahead of time and let Sublime move the file for us when the user clicks update. I tried a couple of methods and ran into a big issue.
Sublime will redownload the folder every time you initiate an update (your file will get removed!)
The workaround for this is when preloading the file is to set the Read-Only file attribute. That way Sublime won’t be able to modify the file. By marking this file as Read-Only when Sublime goes to clear the Update folder for the download the update package it won’t be able to. This leaves our file in the Update folder along with all the files that are meant to be there.
Prepped file
Sublime installed our file!
Putting it all together
So now we are able to get a file to be copied into the the Sublime installation folder. But how can we take this further? What if we were able to overwrite a file that Sublime is looking for and make it load ours instead. Time to load up ProcessMonitor and see what files Sublime is looking for on boot.
Bingo! Looks like Sublime is looking for a dwrite.dll file. Lucky for us we have the ability to place a file in the Sublime directory. So we will just create a small dwrite.dll with some stub code to launch a popup. We don’t know exactly which function is called, so we will just place it in a couple of spots for now (you can totally figure this out so you don’t have to guess). The right way to do this is to determine exactly which exported functions are called by the sublime.exe binary. For this iteration, the payload was just placed in some of the exported symbols as a PoC. In realistic scenarios, you should know exactly which function you want to modify and when it is called. For now we just put our malicious DLL with the scatter payload in the Update folder and click install. This technique is nicely documented by our friends at MITRE, https://attack.mitre.org/techniques/T1574/001/.
Making it read only
After clicking install
Success!
Sublime will automatically restart Sublime after an update, so our payload executes immediately. It will also execute on any Sublime launch, it doesn’t just work because it is the first launch after an update.
What’s Left?
- There’s actually more that goes into the update process (making folder, subprocesses, runas, etc..) and another binary named
update_installer.exethat Sublime uses, but I just wanted to focus the DLL aspect in this post.
Thanks
https://www.archcloudlabs.com/ - for the inspiration on looking into my text editor