 | |
 Screenshot of IExpress in Windows 10 | |
| Developer(s) | Microsoft |
|---|---|
| Operating system | Windows NT |
| Type | Self-contained installation packages maker |
IExpress, a component of Windows 2000 and later versions of the operating system, is used to create self-extracting packages from a set of files. Such packages can be used to install software.
IExpress (IEXPRESS.EXE) can be used for distributing self-contained installation packages (INF-based setup executables) to multiple local or remote Windows computers. It creates a self-extracting executable (.EXE) or a compressed Cabinet (.CAB) file using either the provided front end interface (IExpress Wizard), or a custom Self Extraction Directive (SED) file. [1] SED files can be modified with any plain text/ASCII editor, like Notepad. All self-extracting files created by IExpress use CAB compression algorithms, are compressed using the Cabinet Maker ( MAKECAB.EXE ) tool, [2] and are extracted using the WExtract ( WEXTRACT.EXE ) tool.
IEXPRESS.EXE is located in the SYSTEM32 folder of both 32 and 64-bit installations of Windows. The front end interface (IExpress Wizard) can be started by manually navigating to the respective directory and opening the executable (IExpress.exe), or by typing IExpress into the Run window of the Start Menu. It can also be used from the command line (Windows Command Prompt or batch file) to create custom installation packages, eventually unattended. (automated operation):
IEXPRESS /N drive_letter:\directory_name\file_name.SED
IExpress Wizard interface guides the user through the process of creating a self-extracting package. It asks what the package should do: extract files and then run a program, or just extract files. It then allows the user to specify a title for the package, add a confirmation prompt, add a license agreement that the end-user must accept in order to allow extraction, select files to be archived, set display options for the progress window, and finally, specify a message to display upon completion.
If the option to create an archive and run a program is selected, then there will be an additional step, prompting the user to select the program that will be run upon extraction.
The self-extracting packages created with IExpress have (inherent) vulnerabilities which allow arbitrary code execution because of the way they handle their installation command and their command line processing. [3] [4] Additionally, because of the way Windows User Account Control handles installers, these vulnerabilities allow a privilege escalation. [5] [6]
More specifically, the vulnerability comes in two versions: the most obvious one is that a /c: switch tells the package to run an arbitrary command in the extracted directory; [6] the other is that the directory is predictable and writable by any ordinary user, so that the usual msiexec.exe command can be replaced by an attack payload. [5] The latter has been fixed by Microsoft in MS14-049, but the former is only addressed by a policy to deprecate IExpress. [6] There is also a DLL hijacking exploit possible with IExpress. [7]
Cabinet is an archive-file format for Microsoft Windows that supports lossless data compression and embedded digital certificates used for maintaining archive integrity. Cabinet files have .cab filename extensions and are recognized by their first four bytes MSCF. Cabinet files were known originally as Diamond files.
7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is developed by Igor Pavlov and was first released in 1999. 7-Zip has its own archive format called 7z, but can read and write several others.
Windows Management Instrumentation (WMI) consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI is Microsoft's implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards from the Distributed Management Task Force (DMTF).
Installation of a computer program, is the act of making the program ready for execution. Installation refers to the particular configuration of software or hardware with a view to making it usable with the computer. A soft or digital copy of the piece of software (program) is needed to install it. There are different processes of installing a piece of software (program). Because the process varies for each program and each computer, programs often come with an installer, a specialised program responsible for doing whatever is needed for the installation. Installation may be part of a larger software deployment process.
Program Manager is the shell of Windows 3.x and Windows NT 3.x operating systems. This shell exposed a task-oriented graphical user interface (GUI), consisting of icons arranged into program groups. It replaced MS-DOS Executive, a file manager, as the default Windows shell.
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.
An autorun.inf file is a text file that can be used by the AutoRun and AutoPlay components of Microsoft Windows operating systems. For the file to be discovered and used by these component, it must be located in the root directory of a volume. As Windows has a case-insensitive view of filenames, the autorun.inf file can be stored as AutoRun.inf or Autorun.INF or any other case combination.
Windows Preinstallation Environment is a lightweight version of Windows used for the deployment of PCs, workstations, and servers, or troubleshooting an operating system while it is offline. It is intended to replace MS-DOS boot disks and can be booted via USB flash drive, PXE, iPXE, CD, DVD, or hard disk. Traditionally used by large corporations and OEMs, it is now widely available free of charge via Windows Assessment and Deployment Kit (WADK).
A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.
File Manager is a file manager program bundled with releases of OS/2 and Microsoft Windows between 1988 and 2000. It is a single-instance graphical interface, replacing the command-line interface of MS-DOS to manage files and MS-DOS Executive file manager from previous Windows versions.
In computing, SUBST is a command on the DOS, IBM OS/2, Microsoft Windows and ReactOS operating systems used for substituting paths on physical and logical drives as virtual drives.
Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine.
User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.
In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services. It is the Services and Controller app, services.exe, that launches all the services and manages their actions, such as start, end, etc.
A self-extracting archive is a computer executable program which combines compressed data in an archive file with machine-executable code to extract the information. Running on a compatible operating system, it does not need a suitable extractor in the target computer to extract the data. The executable part of the file is known as a decompressor stub.
INF file is INI plain-text file used by Microsoft Windows-based operating systems for the installation of software and drivers. INF files are most commonly used for installing device drivers for hardware components. Windows includes the IExpress tool for the creation of INF-based installations. INF files form part of the Windows Setup API and of its successor, Windows Installer.
Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.
Task Scheduler is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for Windows 95 as System Agent. Its core component is an eponymous Windows service. The Windows Task Scheduler infrastructure is the basis for the Windows PowerShell scheduled jobs feature introduced with PowerShell v3.
A batch file is a script file in DOS, OS/2 and Microsoft Windows. It consists of a series of commands to be executed by the command-line interpreter, stored in a plain text file. A batch file may contain any command the interpreter accepts interactively and use constructs that enable conditional branching and looping within the batch file, such as IF, FOR, and GOTO labels. The term "batch" is from batch processing, meaning "non-interactive execution", though a batch file might not process a batch of multiple data.
